Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Wk6IMAhBNF.exe

Overview

General Information

Sample name:Wk6IMAhBNF.exe
renamed because original name is a hash value
Original sample name:FF61853AA5A10D3FE8FBE0D5470DB9D0.exe
Analysis ID:1581277
MD5:ff61853aa5a10d3fe8fbe0d5470db9d0
SHA1:bc6f2373b942643d275a062ac01367b197c3ad24
SHA256:ec234980252c20fc05b927ffa9bc292c88f210bda8e2e532a38cf9cbd1e72557
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected GhostRat
AI detected suspicious sample
Contain functionality to detect virtual machines
Contains functionality to capture and log keystrokes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found evasive API chain (may stop execution after checking mutex)
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Machine Learning detection for sample
PE file has a writeable .text section
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a global mouse hook
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • Wk6IMAhBNF.exe (PID: 2148 cmdline: "C:\Users\user\Desktop\Wk6IMAhBNF.exe" MD5: FF61853AA5A10D3FE8FBE0D5470DB9D0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Wk6IMAhBNF.exeJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1999206035.0000000000438000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000003.2218149347.0000000002548000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000000.00000002.4458721208.000000000277E000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Process Memory Space: Wk6IMAhBNF.exe PID: 2148JoeSecurity_GhostRatYara detected GhostRatJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.Wk6IMAhBNF.exe.400000.0.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                0.0.Wk6IMAhBNF.exe.400000.0.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Communication To Uncommon Destination Ports
                  Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 103.199.100.97, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\Wk6IMAhBNF.exe, Initiated: true, ProcessId: 2148, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49786

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-27T09:57:51.073805+010020528751A Network Trojan was detected192.168.2.549786103.199.100.978080TCP
                  2024-12-27T09:59:01.558575+010020528751A Network Trojan was detected192.168.2.549786103.199.100.978080TCP
                  2024-12-27T10:00:12.511514+010020528751A Network Trojan was detected192.168.2.549979103.199.100.978080TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: Wk6IMAhBNF.exeVirustotal: Detection: 47%Perma Link
                  Source: Wk6IMAhBNF.exeReversingLabs: Detection: 57%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: Wk6IMAhBNF.exeJoe Sandbox ML: detected

                  Compliance

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeUnpacked PE file: 0.2.Wk6IMAhBNF.exe.5880000.3.unpack
                  Source: Wk6IMAhBNF.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Binary string: iphlpapi.pdbUGP source: Wk6IMAhBNF.exe, 00000000.00000002.4458607021.00000000025AD000.00000040.00000800.00020000.00000000.sdmp
                  Source: Binary string: wkernel32.pdb source: Wk6IMAhBNF.exe, 00000000.00000003.2235912555.00000000021AF000.00000004.00000020.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000002.4458151098.00000000022CB000.00000040.00000020.00020000.00000000.sdmp
                  Source: Binary string: iphlpapi.pdb source: Wk6IMAhBNF.exe, Wk6IMAhBNF.exe, 00000000.00000002.4458607021.00000000025AD000.00000040.00000800.00020000.00000000.sdmp
                  Source: Binary string: advapi32.pdbUGP source: Wk6IMAhBNF.exe, 00000000.00000002.4458607021.0000000002540000.00000040.00000800.00020000.00000000.sdmp
                  Source: Binary string: wkernelbase.pdb source: Wk6IMAhBNF.exe, 00000000.00000003.2218149347.0000000002548000.00000004.00000020.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000002.4458721208.000000000277E000.00000040.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: Wk6IMAhBNF.exe, 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000003.2185256355.00000000021A7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Wk6IMAhBNF.exe, Wk6IMAhBNF.exe, 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000003.2185256355.00000000021A7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wuser32.pdb source: Wk6IMAhBNF.exe, 00000000.00000002.4458910784.00000000029AC000.00000040.00000800.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000003.2268938025.0000000002544000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wkernelbase.pdbUGP source: Wk6IMAhBNF.exe, 00000000.00000003.2218149347.0000000002548000.00000004.00000020.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000002.4458721208.000000000277E000.00000040.00000020.00020000.00000000.sdmp
                  Source: Binary string: wkernel32.pdbUGP source: Wk6IMAhBNF.exe, 00000000.00000003.2235912555.00000000021AF000.00000004.00000020.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000002.4458151098.00000000022CB000.00000040.00000020.00020000.00000000.sdmp
                  Source: Binary string: advapi32.pdb source: Wk6IMAhBNF.exe, Wk6IMAhBNF.exe, 00000000.00000002.4458607021.0000000002540000.00000040.00000800.00020000.00000000.sdmp
                  Source: Binary string: wuser32.pdbUGP source: Wk6IMAhBNF.exe, 00000000.00000002.4458910784.00000000029AC000.00000040.00000800.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000003.2268938025.0000000002544000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: z:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: x:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: v:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: t:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: r:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: p:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: n:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: l:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: j:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: h:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: f:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: b:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: y:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: w:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: u:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: s:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: q:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: o:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: m:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: k:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: i:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: g:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: e:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: [:Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_058880E0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,0_2_058880E0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 4x nop then lea eax, dword ptr [ebp-00000114h]0_2_0040BAA0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 4x nop then lea eax, dword ptr [ebp-38h]0_2_0040BC00
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 4x nop then mov dword ptr [ebp-54h], 00000040h0_2_0040BC8C

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.5:49786 -> 103.199.100.97:8080
                  Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.5:49979 -> 103.199.100.97:8080
                  Source: global trafficTCP traffic: 192.168.2.5:49786 -> 103.199.100.97:8080
                  Source: global trafficTCP traffic: 192.168.2.5:49958 -> 103.199.100.130:8181
                  Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.199.100.97
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00404BBD select,recv,0_2_00404BBD

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to capture and log keystrokes
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: [esc]0_2_0588E740
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: [esc]0_2_0588E740
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: [esc]0_2_0588E740
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: [esc]0_2_0588E740
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0588E740 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,0_2_0588E740
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0588E740 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,0_2_0588E740
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0588BBD0 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,0_2_0588BBD0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0588E3E0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,0_2_0588E3E0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4458910784.00000000029AC000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_61d963bb-0
                  Source: Yara matchFile source: 00000000.00000003.2218149347.0000000002548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4458721208.000000000277E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Wk6IMAhBNF.exe PID: 2148, type: MEMORYSTR

                  System Summary

                  barindex
                  PE file has a writeable .text section
                  Source: Wk6IMAhBNF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0588B41F ExitWindowsEx,0_2_0588B41F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0588B443 ExitWindowsEx,0_2_0588B443
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0588B3FB ExitWindowsEx,0_2_0588B3FB
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0041C1860_2_0041C186
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0041F4430_2_0041F443
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004294C20_2_004294C2
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0041C59E0_2_0041C59E
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0041F6720_2_0041F672
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004127CC0_2_004127CC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0041C9D30_2_0041C9D3
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00417A310_2_00417A31
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0042BAB90_2_0042BAB9
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00423B400_2_00423B40
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00474B4C0_2_00474B4C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00474B120_2_00474B12
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00474B280_2_00474B28
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0041BC8A0_2_0041BC8A
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0041AD200_2_0041AD20
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0041CE080_2_0041CE08
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00473EE20_2_00473EE2
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00430EEB0_2_00430EEB
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00473EEF0_2_00473EEF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00473EFD0_2_00473EFD
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00473E860_2_00473E86
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00473E860_2_00473E86
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05886C200_2_05886C20
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05886ED00_2_05886ED0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_058824B00_2_058824B0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0589D78F0_2_0589D78F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0589E2310_2_0589E231
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_058982710_2_05898271
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0589DCE00_2_0589DCE0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0589E90D0_2_0589E90D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0589F8EF0_2_0589F8EF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_058888F00_2_058888F0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022977D00_2_022977D0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AB4E70_2_022AB4E7
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229C5750_2_0229C575
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02284F3B0_2_02284F3B
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02298F430_2_02298F43
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02281F9C0_2_02281F9C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229CC140_2_0229CC14
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D01EA0_2_023D01EA
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D04250_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F50_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D750_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_024902460_2_02490246
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0246D2650_2_0246D265
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_024992780_2_02499278
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022881FC0_2_022881FC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022868D60_2_022868D6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: String function: 058941F0 appears 32 times
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: String function: 00418D67 appears 46 times
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: String function: 00418CC5 appears 32 times
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: String function: 0226F8D7 appears 51 times
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: String function: 004192C0 appears 49 times
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: String function: 00418CFC appears 40 times
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: String function: 0040F1F6 appears 33 times
                  Source: Wk6IMAhBNF.exeBinary or memory string: OriginalFilename vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000003.2329543309.0000000000866000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameFeedbackCollector.exe^ vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4458408865.00000000024BC000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000003.2218149347.0000000002548000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4458607021.00000000025AD000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4458607021.00000000025AD000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiphlpapi.dllj% vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4458910784.0000000002A53000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4458151098.000000000231B000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4458721208.000000000295E000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000003.2268938025.0000000002544000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000003.2235912555.0000000002241000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000003.2185256355.00000000022CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000003.2235912555.00000000021AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4458151098.00000000022CB000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: OriginalFilenameFeedbackCollector.exe^ vs Wk6IMAhBNF.exe
                  Source: Wk6IMAhBNF.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Wk6IMAhBNF.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@0/2
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05887730 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,0_2_05887730
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05887610 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,0_2_05887610
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05887B60 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,0_2_05887B60
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05886C20 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,0_2_05886C20
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05886020 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,0_2_05886020
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0040C523 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantClear,CoUninitialize,0_2_0040C523
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeMutant created: \Sessions\1\BaseNamedObjects\???????
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCommand line argument: >QC0_2_00435090
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Wk6IMAhBNF.exeVirustotal: Detection: 47%
                  Source: Wk6IMAhBNF.exeReversingLabs: Detection: 57%
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: d3d10warp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: dxcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: napinsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: pnrpnsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: wshbth.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: winrnr.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: dinput8.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: inputhost.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: devenum.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: devobj.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: msdmo.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                  Source: Wk6IMAhBNF.exeStatic file information: File size 1151488 > 1048576
                  Source: Wk6IMAhBNF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: iphlpapi.pdbUGP source: Wk6IMAhBNF.exe, 00000000.00000002.4458607021.00000000025AD000.00000040.00000800.00020000.00000000.sdmp
                  Source: Binary string: wkernel32.pdb source: Wk6IMAhBNF.exe, 00000000.00000003.2235912555.00000000021AF000.00000004.00000020.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000002.4458151098.00000000022CB000.00000040.00000020.00020000.00000000.sdmp
                  Source: Binary string: iphlpapi.pdb source: Wk6IMAhBNF.exe, Wk6IMAhBNF.exe, 00000000.00000002.4458607021.00000000025AD000.00000040.00000800.00020000.00000000.sdmp
                  Source: Binary string: advapi32.pdbUGP source: Wk6IMAhBNF.exe, 00000000.00000002.4458607021.0000000002540000.00000040.00000800.00020000.00000000.sdmp
                  Source: Binary string: wkernelbase.pdb source: Wk6IMAhBNF.exe, 00000000.00000003.2218149347.0000000002548000.00000004.00000020.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000002.4458721208.000000000277E000.00000040.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: Wk6IMAhBNF.exe, 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000003.2185256355.00000000021A7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Wk6IMAhBNF.exe, Wk6IMAhBNF.exe, 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000003.2185256355.00000000021A7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wuser32.pdb source: Wk6IMAhBNF.exe, 00000000.00000002.4458910784.00000000029AC000.00000040.00000800.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000003.2268938025.0000000002544000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wkernelbase.pdbUGP source: Wk6IMAhBNF.exe, 00000000.00000003.2218149347.0000000002548000.00000004.00000020.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000002.4458721208.000000000277E000.00000040.00000020.00020000.00000000.sdmp
                  Source: Binary string: wkernel32.pdbUGP source: Wk6IMAhBNF.exe, 00000000.00000003.2235912555.00000000021AF000.00000004.00000020.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000002.4458151098.00000000022CB000.00000040.00000020.00020000.00000000.sdmp
                  Source: Binary string: advapi32.pdb source: Wk6IMAhBNF.exe, Wk6IMAhBNF.exe, 00000000.00000002.4458607021.0000000002540000.00000040.00000800.00020000.00000000.sdmp
                  Source: Binary string: wuser32.pdbUGP source: Wk6IMAhBNF.exe, 00000000.00000002.4458910784.00000000029AC000.00000040.00000800.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000003.2268938025.0000000002544000.00000004.00000800.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeUnpacked PE file: 0.2.Wk6IMAhBNF.exe.400000.0.unpack .text:EW;.rdata:W;.data:W;.gfids:W;.tls:W;.rsrc:W;.reloc:W;.NLDEE:EW;.idata:W;.NLDEE:R; vs .text:ER;.rdata:R;.data:R;.gfids:R;.tls:R;.rsrc:R;.reloc:R;.NLDEE:ER;.idata:R;.NLDEE:R;
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeUnpacked PE file: 0.2.Wk6IMAhBNF.exe.5880000.3.unpack
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05887480 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,0_2_05887480
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .NLDEE
                  Source: Wk6IMAhBNF.exeStatic PE information: real checksum: 0x125d0f should be: 0x125207
                  Source: Wk6IMAhBNF.exeStatic PE information: section name: .NLDEE
                  Source: Wk6IMAhBNF.exeStatic PE information: section name: .NLDEE
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0046C027 push dword ptr [esp]; retn 0004h0_2_0046C024
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004931E7 push dword ptr [esp+58h]; retn 005Ch0_2_004932D1
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00478196 push esp; retf 0_2_004781AF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004882F3 push dword ptr [esp]; retn 0004h0_2_00488396
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00492291 push dword ptr [esp+14h]; retn 0018h0_2_00492488
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00419306 push ecx; ret 0_2_00419319
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0049239A push dword ptr [esp+14h]; retn 0018h0_2_00492488
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004774C0 push dword ptr [esp+04h]; retn 0008h0_2_004E7B40
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004774C0 push dword ptr [esp+20h]; retn 0024h0_2_004E7D25
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004E44C4 push dword ptr [esp+1Ch]; retn 0020h0_2_004E4517
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00477557 push dword ptr [esp+20h]; retn 0024h0_2_004E7D25
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004EF5D1 push esi; mov dword ptr [esp], esp0_2_004EF5A3
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004745ED push eax; iretd 0_2_004745EE
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004E458B push dword ptr [esp+04h]; retn 0008h0_2_004E4681
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0047758B push dword ptr [esp+20h]; retn 0024h0_2_004E7D25
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004E4601 push dword ptr [esp+04h]; retn 0008h0_2_004E4681
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004E4619 push dword ptr [esp+04h]; retn 0008h0_2_004E4681
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004836A3 push dword ptr [esp]; retn 0004h0_2_0048369A
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00474767 push dword ptr [esp+1Ch]; retn 0020h0_2_004747E1
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004757C3 pushfd ; mov dword ptr [esp], ebx0_2_004BD421
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004D97FC push dword ptr [esp+08h]; retn 000Ch0_2_004D9801
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004817F1 push dword ptr [esp+14h]; retn 0018h0_2_00481832
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004DD834 push dword ptr [esp+04h]; retn 0008h0_2_004DD945
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004818F3 push dword ptr [esp+1Ch]; retn 0020h0_2_00481944
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004DD8F2 push dword ptr [esp+04h]; retn 0008h0_2_004DD945
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004DD8B1 push dword ptr [esp+04h]; retn 0008h0_2_004DD945
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0046B94C push dword ptr [esp+14h]; retn 0018h0_2_0046B975
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0046B90B push dword ptr [esp+14h]; retn 0018h0_2_0046B975
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0046B92D push dword ptr [esp+14h]; retn 0018h0_2_0046B975
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_00476937 pushfd ; mov dword ptr [esp], esp0_2_00476939
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0046B985 push ecx; ret 0_2_0046BFA0
                  Source: Wk6IMAhBNF.exeStatic PE information: section name: .NLDEE entropy: 7.823713533239283
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0588B39D OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,0_2_0588B39D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE IpDates_infoJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Wk6IMAhBNF.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.2.Wk6IMAhBNF.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.Wk6IMAhBNF.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1999206035.0000000000438000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Wk6IMAhBNF.exe PID: 2148, type: MEMORYSTR
                  Contain functionality to detect virtual machines
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: VMware VMware VMware VBOX VBOX VBOX VBOX VMware VMware VMware 0_2_0040CB1E
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: vmware vmware vmware vmware 0_2_0040DAA8
                  Contains functionality to detect hardware virtualization (CPUID execution measurement)
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0040DC56 __ehhandler$___std_fs_get_file_attributes_by_handle@8,__EH_prolog3_GS,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__aulldiv,GetCursorPos,GetCursorPos,GetCursorPos,0_2_0040DC56
                  Found evasive API chain (may stop execution after checking mutex)
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-71483
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
                  Queries temperature or sensor information (via WMI often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\WMI : SELECT * FROM MSAcpi_ThermalZoneTemperature
                  Query firmware table information (likely to detect VMs)
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeAPI/Special instruction interceptor: Address: 483E9F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeAPI/Special instruction interceptor: Address: 481848
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeAPI/Special instruction interceptor: Address: 49EB0F
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: Wk6IMAhBNF.exeBinary or memory string: DIR_WATCH.DLL
                  Source: Wk6IMAhBNF.exeBinary or memory string: .LNKROOT\WMISELECT * FROM MSACPI_THERMALZONETEMPERATUREWQLCURRENTTEMPERATURE08-00-2700-03-FF00-05-6900-0C-2900-50-56\\.\PHYSICALDRIVE0VBOXSERVICE.EXEVBOXTRAY.EXEVMWARE.EXEVMTOOLSD.EXEVIRTUAL MACHINETEMP\*ROOT\CIMV2SELECT * FROM SERIALNUMBERWIN32_BASEBOARDNONECAPTIONWIN32_DISKDRIVEVMWAREVBOXVIRTUAL HDMODELWIN32_COMPUTERSYSTEMVIRTUALBOXFAILED TO CREATE D3D11 DEVICE.FAILED TO CREATE DXGI FACTORY.CURRENTUSERSANDBOXEMILYHAPUBWSHONG LEEIT-ADMINJOHNSONMILLERMILOZSPETER WILSONTIMMYUSERSAND BOXMALWAREMALTESTTEST USERVIRUSJOHN DOESANGFORJOHN-PCSANDBOX7SILVIAHANSPETER-PCMUELLER-PCWIN7 - TRAPSFORTINETTEQUILABOOMBOOMRUNDLL32.EXEFAILED TO GET EXECUTABLE PATHAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT64.DLLCMDVRT32.DLLRTLINITUNICODESTRINGNTDLL.DLLZWQUERYLICENSEVALUEKERNEL-VMDETECTION-PRIVATENOT SPECIFIEDBAD_INDEXVMWAREFAILED TO RETRIEVE SMBIOS DATA.DETECT AS A VM BASED ON THE NUMBER OF CPU CORES.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON THE NUMBER OF CPU CORES.[-]DETECT AS A VM BASED ON PHYSICAL MEMORY SIZE.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON PHYSICAL MEMORY SIZE.[-]DETECT AS A VM BASED ON TOTAL DISK SIZE.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON TOTAL DISK SIZE.[-]DETECT AS A VM BASED ON SPECIFIC PROCESSES.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON SPECIFIC PROCESSES.[-]DETECT AS A VM BASED ON HARDWARE INFORMATION.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON HARDWARE INFORMATION.[-]DETECT AS A VM BASED ON SYSTEM BOOT TIME.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON SYSTEM BOOT TIME.[-]DETECT AS A VM BASED ON HYPER-V PRESENCE.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON HYPER-V PRESENCE.[-]DETECT AS A VM BASED ON TEMP FILE COUNT.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON TEMP FILE COUNT.[-]DETECT AS A VM BASED ON CPU TEMPERATURE.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON CPU TEMPERATURE.[-]DETECT AS A VM BASED ON GPU MEMORY.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON GPU MEMORY.[-]DETECT AS A VM BASED ON MAC ADDRESS PREFIX.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON MAC ADDRESS PREFIX.[-]DETECT AS A VM BASED ON USERNAMES.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON USERNAMES.[-]DETECT AS A VM BASED ON NETBIOS NAME.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON NETBIOS NAME.[-]DETECT AS A VM BASED ON RUNDLL32 PARENT PROCESS.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON RUNDLL32 PARENT PROCESS.[-]VOIDWALKERDETECT AS A VM BASED ON CURRENT PROCESS FILENAME.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON CURRENT PROCESS FILENAME.[-]DETECT AS A VM BASED ON EXECUTABLE RUN PATH.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON EXECUTABLE RUN PATH.[-]DETECT AS A VM BASED ON DLLS LOADED.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON DLLS LOADED.[-]DETECT AS A VM BASED ON POWER CAPABILITIES.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON POWER CAPABILITIES.[-]DETECT AS A VM BASED ON LICENSE VALUES.[+]DETECT AS PHYSICAL ENVIRONMENT BASED ON LICENSE VALUES.[-]DETECT AS A VM BASED ON MOTHERBOARD INFO.[+]DETECT AS PHYSICAL ENVIRON
                  Source: Wk6IMAhBNF.exeBinary or memory string: SBIEDLL.DLL
                  Source: Wk6IMAhBNF.exeBinary or memory string: API_LOG.DLL
                  Tries to detect virtualization through RDTSC time measurements
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 4942D7 second address: 4942BF instructions: 0x00000000 rdtsc 0x00000002 mov cx, dx 0x00000005 lea esp, dword ptr [esp+01h] 0x00000009 lea esi, dword ptr [esi+0000010Ch] 0x0000000f mov dx, word ptr [esp] 0x00000013 xchg edx, eax 0x00000015 jmp 00007FD76946955Dh 0x00000017 mov dl, bh 0x00000019 mov dl, byte ptr [esp] 0x0000001c xchg ax, cx 0x0000001e xchg dword ptr [esp+14h], esi 0x00000022 mov cl, ah 0x00000024 rcr eax, 02h 0x00000027 jmp 00007FD76946957Ah 0x00000029 rcl edx, 11h 0x0000002c not al 0x0000002e push dword ptr [esp+14h] 0x00000032 retn 0018h 0x00000035 mov edi, dword ptr [ebp+00h] 0x00000038 push ecx 0x00000039 pushfd 0x0000003a jmp 00007FD76946951Fh 0x0000003f mov dx, FB6Dh 0x00000043 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 483E80 second address: 483EDF instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [6E0A2F6Eh] 0x00000008 pushad 0x00000009 add esp, 09h 0x0000000c jmp 00007FD76852F799h 0x00000011 lea esp, dword ptr [esp+03h] 0x00000015 lea esp, dword ptr [esp+14h] 0x00000019 neg esi 0x0000001b mov dx, 6A6Fh 0x0000001f mov bh, ch 0x00000021 jmp 00007FD76852F6C5h 0x00000023 mov bx, word ptr [esp] 0x00000027 dec esi 0x00000028 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 483EDF second address: 483E9F instructions: 0x00000000 rdtsc 0x00000002 sub esp, 0Eh 0x00000005 jnc 00007FD76946956Bh 0x00000007 jmp 00007FD76946958Ah 0x00000009 mov ebx, 516A27D9h 0x0000000e pushad 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 483E9F second address: 483FDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD76852F720h 0x00000004 lea esp, dword ptr [esp+02h] 0x00000008 rol esi, 00000000h 0x0000000b bsf eax, ebx 0x0000000e jmp 00007FD76852F749h 0x00000010 js 00007FD76852F6DDh 0x00000012 bsr ebx, esp 0x00000015 stc 0x00000016 call 00007FD76852F73Dh 0x0000001b or ax, dx 0x0000001e clc 0x0000001f mov eax, dword ptr [esp] 0x00000022 lea ebx, dword ptr [ecx+edx] 0x00000025 mov al, D8h 0x00000027 jmp 00007FD76852F75Ah 0x00000029 xchg dword ptr [esp], ecx 0x0000002c neg ah 0x0000002e mov eax, dword ptr [esp] 0x00000031 call 00007FD76852F6DEh 0x00000036 lea eax, dword ptr [00000000h+ebx*4] 0x0000003d mov dl, al 0x0000003f lea ecx, dword ptr [ecx+3Eh] 0x00000042 jmp 00007FD76852F716h 0x00000044 bsf eax, edx 0x00000047 mov edx, dword ptr [esp] 0x0000004a bts dx, dx 0x0000004e mov bh, byte ptr [esp] 0x00000051 xchg dword ptr [esp+04h], ecx 0x00000055 pushad 0x00000056 jmp 00007FD76852F7C7h 0x0000005b mov ax, F820h 0x0000005f push word ptr [esp+05h] 0x00000064 lea edx, dword ptr [ebp+ebp+00h] 0x00000068 lea edx, dword ptr [esp+2BC2CE0Bh] 0x0000006f lea esp, dword ptr [esp+02h] 0x00000073 push dword ptr [esp+24h] 0x00000077 retn 0028h 0x0000007a setno bh 0x0000007d mov dx, word ptr [esp] 0x00000081 mov dh, 75h 0x00000083 jmp 00007FD76852F7B8h 0x00000088 lea esp, dword ptr [esp+2Ch] 0x0000008c sub esi, 44ECB633h 0x00000092 mov edx, DEDCAC1Dh 0x00000097 lea edx, dword ptr [00000000h+esi*4] 0x0000009e mov bx, 519Ah 0x000000a2 jmp 00007FD76852F6E0h 0x000000a4 setl al 0x000000a7 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 483FDB second address: 483FE0 instructions: 0x00000000 rdtsc 0x00000002 xchg dx, ax 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 483FE0 second address: 48468A instructions: 0x00000000 rdtsc 0x00000002 mov bh, 40h 0x00000004 xchg dx, bx 0x00000007 jmp 00007FD76852F733h 0x00000009 ror esi, 00000000h 0x0000000c setno al 0x0000000f bsf edx, esi 0x00000012 jnl 00007FD76852F77Ah 0x00000014 lea edx, dword ptr [eax+19h] 0x00000017 add esi, dword ptr [ebp+00h] 0x0000001a xchg dx, ax 0x0000001d xchg ax, bx 0x0000001f neg bx 0x00000022 jmp 00007FD76852F6D2h 0x00000024 jne 00007FD76852F6DAh 0x00000026 call 00007FD76852FD83h 0x0000002b rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 49F853 second address: 49F83D instructions: 0x00000000 rdtsc 0x00000002 mov dh, byte ptr [esp] 0x00000005 jmp 00007FD769469585h 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 49F83D second address: 49FA4C instructions: 0x00000000 rdtsc 0x00000002 lea ebx, dword ptr [00000000h+edi*4] 0x00000009 jmp 00007FD76852F724h 0x0000000b lea ebx, dword ptr [edi+50h] 0x0000000e stc 0x0000000f jmp 00007FD76852F8F5h 0x00000014 js 00007FD76852F531h 0x0000001a mov dh, byte ptr [esp] 0x0000001d rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 4817F1 second address: 481848 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [00000000h+ebx*4] 0x00000009 xchg dword ptr [esp], edx 0x0000000c mov eax, 2BDC9494h 0x00000011 xchg ch, al 0x00000013 jmp 00007FD769469577h 0x00000015 xchg al, ah 0x00000017 lea edx, dword ptr [edx+26h] 0x0000001a shr cl, 00000000h 0x0000001d lea ecx, dword ptr [00000000h+esi*4] 0x00000024 jmp 00007FD7694695F4h 0x00000026 mov ax, C1B5h 0x0000002a shl ax, cl 0x0000002d xchg dword ptr [esp], edx 0x00000030 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 4973BB second address: 4973FF instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [eax+0000DC47h] 0x00000008 lea esp, dword ptr [esp+01h] 0x0000000c jmp 00007FD76852F6E9h 0x0000000e sub cl, bl 0x00000010 jne 00007FD76852F76Dh 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 497619 second address: 4977C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD769469643h 0x00000007 inc edi 0x00000008 sub esp, 1Bh 0x0000000b jbe 00007FD7694694E1h 0x00000011 jnbe 00007FD769469534h 0x00000013 lea esp, dword ptr [esp+03h] 0x00000017 jmp 00007FD769469547h 0x00000019 call 00007FD7694695CFh 0x0000001e pop word ptr [esp] 0x00000022 mov ax, word ptr [esp] 0x00000026 sub esp, 16h 0x00000029 jle 00007FD76946957Fh 0x0000002b jnle 00007FD7694695D5h 0x0000002d xchg dword ptr [esp+11h], eax 0x00000031 xchg word ptr [esp+0Bh], dx 0x00000036 jmp 00007FD769469564h 0x00000038 lea esp, dword ptr [esp+18h] 0x0000003c inc cl 0x0000003e lea edx, dword ptr [00000000h+edx*4] 0x00000045 mov al, byte ptr [esp] 0x00000048 jmp 00007FD7694695ADh 0x0000004a lea edx, dword ptr [4AD3A4D5h] 0x00000050 dec ah 0x00000052 jnle 00007FD7694695CFh 0x00000054 mov al, byte ptr [esp] 0x00000057 pushad 0x00000058 jmp 00007FD769469639h 0x0000005d lea esp, dword ptr [esp+20h] 0x00000061 xor cl, 0000001Ch 0x00000064 adc dx, bx 0x00000067 jns 00007FD76946957Eh 0x00000069 mov eax, 7A1AD9E0h 0x0000006e neg eax 0x00000070 mov ax, word ptr [esp] 0x00000074 call 00007FD7694696D3h 0x00000079 jmp 00007FD7694694D2h 0x0000007e mov ax, 7A60h 0x00000082 add esp, 00000000h 0x00000085 jo 00007FD769469583h 0x00000087 jno 00007FD769469581h 0x00000089 lea esp, dword ptr [esp+04h] 0x0000008d add cl, 00000024h 0x00000090 jmp 00007FD7694695E5h 0x00000092 xchg dl, dh 0x00000094 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 4977C6 second address: 4977F9 instructions: 0x00000000 rdtsc 0x00000002 bswap eax 0x00000004 bsf eax, esi 0x00000007 jnle 00007FD76852F73Ch 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 49E851 second address: 49E833 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD769469575h 0x00000004 xchg ax, bx 0x00000006 xchg edx, ebx 0x00000008 lea ebx, dword ptr [A001857Bh] 0x0000000e push edi 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 49668D second address: 496779 instructions: 0x00000000 rdtsc 0x00000002 neg dl 0x00000004 xor bx, 793Bh 0x00000009 call 00007FD76852F80Ch 0x0000000e add esp, 04h 0x00000011 jmp 00007FD76852F6CDh 0x00000013 jnbe 00007FD76852F726h 0x00000015 mov bh, bl 0x00000017 mov ebp, dword ptr [esp] 0x0000001a dec cx 0x0000001c jmp 00007FD76852F74Eh 0x0000001e jle 00007FD76852F6D8h 0x00000020 lea esp, dword ptr [esp+04h] 0x00000024 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 496779 second address: 483E80 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edi 0x00000004 mov ebx, dword ptr [esp] 0x00000007 jmp 00007FD7694695D7h 0x00000009 pop ecx 0x0000000a lea ebx, dword ptr [ebx+edi] 0x0000000d jmp 00007FD7694695A6h 0x0000000f mov bx, 6BD3h 0x00000013 jmp 00007FD769469666h 0x00000018 add esp, 20h 0x0000001b jnbe 00007FD769469577h 0x0000001d pop edi 0x0000001e jmp 00007FD769456B5Fh 0x00000023 mov ecx, esi 0x00000025 dec dx 0x00000027 jnl 00007FD7694695F1h 0x00000029 mov bx, si 0x0000002c lea eax, dword ptr [esp+ecx] 0x0000002f rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 49451A second address: 483E67 instructions: 0x00000000 rdtsc 0x00000002 call 00007FD76852F7A4h 0x00000007 sub esp, 0Ch 0x0000000a lea eax, dword ptr [ecx-1A9709ADh] 0x00000010 pop ax 0x00000012 mov eax, edi 0x00000014 jmp 00007FD76852F6DCh 0x00000016 lea esp, dword ptr [esp+02h] 0x0000001a xchg dword ptr [esp+08h], ebx 0x0000001e mov ah, byte ptr [esp] 0x00000021 inc edx 0x00000022 call 00007FD76852F6EEh 0x00000027 or dh, 0000004Ah 0x0000002a lea ebx, dword ptr [ebx-000106FCh] 0x00000030 jmp 00007FD76852F72Eh 0x00000032 xchg ah, dh 0x00000034 mov eax, dword ptr [esp] 0x00000037 add ax, 0000DAEDh 0x0000003b pushad 0x0000003c mov word ptr [esp+14h], bx 0x00000041 jmp 00007FD76852F726h 0x00000043 xchg dword ptr [esp+2Ch], ebx 0x00000047 mov ax, si 0x0000004a mov edx, dword ptr [esp] 0x0000004d lea ebx, dword ptr [ecx+edx] 0x00000050 push dword ptr [esp+2Ch] 0x00000054 retn 0030h 0x00000057 mov ecx, esi 0x00000059 dec dx 0x0000005b jnl 00007FD76852F761h 0x0000005d mov bx, si 0x00000060 jmp 00007FD76852F746h 0x00000062 lea eax, dword ptr [esp+ecx] 0x00000065 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 483E67 second address: 483EDF instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [6E0A2F6Eh] 0x00000008 jmp 00007FD7694697DDh 0x0000000d pushad 0x0000000e jmp 00007FD76946937Ch 0x00000013 add esp, 09h 0x00000016 jmp 00007FD769469629h 0x0000001b lea esp, dword ptr [esp+03h] 0x0000001f lea esp, dword ptr [esp+14h] 0x00000023 neg esi 0x00000025 mov dx, 6A6Fh 0x00000029 mov bh, ch 0x0000002b jmp 00007FD769469555h 0x0000002d mov bx, word ptr [esp] 0x00000031 dec esi 0x00000032 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 4D4A84 second address: 4D4A5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD76852F6DEh 0x00000004 inc esi 0x00000005 mov edx, 350F249Fh 0x0000000a mov ax, cx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 4883D0 second address: 48838D instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ebp 0x00000005 mov di, word ptr [esp] 0x00000009 setne al 0x0000000c rol ch, 1 0x0000000e mov ecx, dword ptr [esp] 0x00000011 jmp 00007FD7694694C3h 0x00000016 mov al, byte ptr [esp] 0x00000019 lea ebp, dword ptr [ebp-00000CF3h] 0x0000001f neg esi 0x00000021 mov edx, dword ptr [esp] 0x00000024 cmc 0x00000025 jmp 00007FD769469610h 0x00000027 xchg dword ptr [esp], ebp 0x0000002a mov cx, word ptr [esp] 0x0000002e not di 0x00000031 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 49EA50 second address: 49EB0F instructions: 0x00000000 rdtsc 0x00000002 mov edx, esi 0x00000004 shr edx, 10h 0x00000007 push dword ptr [esp+04h] 0x0000000b retn 0008h 0x0000000e mov dx, 95B3h 0x00000012 xchg al, dh 0x00000014 jmp 00007FD76852FA1Fh 0x00000019 neg dl 0x0000001b jbe 00007FD76852F640h 0x00000021 pushfd 0x00000022 setl dl 0x00000025 call 00007FD76852F5B1h 0x0000002a mov ax, 0335h 0x0000002e sub esp, 0Bh 0x00000031 bswap eax 0x00000033 bsf ax, di 0x00000037 lea esp, dword ptr [esp+03h] 0x0000003b jmp 00007FD76852F6D3h 0x0000003d xchg dword ptr [esp+08h], eax 0x00000041 mov dl, ch 0x00000043 bswap edx 0x00000045 call 00007FD76852F716h 0x0000004a bswap edx 0x0000004c lea eax, dword ptr [eax-0000012Ah] 0x00000052 shl dx, 000Eh 0x00000056 jmp 00007FD76852F735h 0x00000058 bswap edx 0x0000005a lea edx, dword ptr [esp+edi] 0x0000005d lea edx, dword ptr [00000000h+ebp*4] 0x00000064 xchg dword ptr [esp+0Ch], eax 0x00000068 neg eax 0x0000006a btc dx, bp 0x0000006e jmp 00007FD76852F761h 0x00000070 lea eax, dword ptr [edx+000000C4h] 0x00000076 adc edx, D6A078C9h 0x0000007c push dword ptr [esp+0Ch] 0x00000080 retn 0010h 0x00000083 pop word ptr [esp] 0x00000087 xchg byte ptr [esp], dh 0x0000008a jmp 00007FD76852F72Ch 0x0000008c xchg byte ptr [esp], dl 0x0000008f bsf dx, cx 0x00000093 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 4D43DB second address: 4D4464 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD7694695CAh 0x00000004 sub ebp, 02h 0x00000007 mov edx, esi 0x00000009 sbb eax, 5B71667Fh 0x0000000e je 00007FD7694695DEh 0x00000010 jne 00007FD7694695BEh 0x00000012 lea edx, dword ptr [edx+edi] 0x00000015 bts eax, ebx 0x00000018 call 00007FD7694696EBh 0x0000001d mov ax, bx 0x00000020 xchg edx, eax 0x00000022 jmp 00007FD7694694FCh 0x00000027 mov ah, 70h 0x00000029 xchg dword ptr [esp], ebp 0x0000002c lea edx, dword ptr [00000000h+esi*4] 0x00000033 mov edx, 97CF5B70h 0x00000038 not dh 0x0000003a lea ebp, dword ptr [ebp+19h] 0x0000003d jmp 00007FD769469553h 0x0000003f xchg dl, dh 0x00000041 mov ax, 6802h 0x00000045 mov dl, byte ptr [esp] 0x00000048 pushad 0x00000049 call 00007FD769469580h 0x0000004e xchg dword ptr [esp+24h], ebp 0x00000052 mov dx, word ptr [esp] 0x00000056 jmp 00007FD7694695BDh 0x00000058 mov dx, 42AEh 0x0000005c mov eax, 7814848Ah 0x00000061 push dword ptr [esp+24h] 0x00000065 retn 0028h 0x00000068 or word ptr [ebp+04h], bx 0x0000006c mov eax, edi 0x0000006e mov al, byte ptr [esp] 0x00000071 jmp 00007FD7694695A6h 0x00000073 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 4D43FF second address: 4D4464 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD76852F716h 0x00000004 sub ebp, 02h 0x00000007 mov edx, esi 0x00000009 sbb eax, 5B71667Fh 0x0000000e je 00007FD76852F74Eh 0x00000010 jne 00007FD76852F72Eh 0x00000012 lea edx, dword ptr [edx+edi] 0x00000015 bts eax, ebx 0x00000018 call 00007FD76852F85Bh 0x0000001d mov ax, bx 0x00000020 xchg edx, eax 0x00000022 jmp 00007FD76852F66Ch 0x00000027 mov ah, 70h 0x00000029 xchg dword ptr [esp], ebp 0x0000002c lea edx, dword ptr [00000000h+esi*4] 0x00000033 mov edx, 97CF5B70h 0x00000038 not dh 0x0000003a lea ebp, dword ptr [ebp+19h] 0x0000003d jmp 00007FD76852F6C3h 0x0000003f xchg dl, dh 0x00000041 mov ax, 6802h 0x00000045 mov dl, byte ptr [esp] 0x00000048 pushad 0x00000049 call 00007FD76852F6F0h 0x0000004e xchg dword ptr [esp+24h], ebp 0x00000052 mov dx, word ptr [esp] 0x00000056 jmp 00007FD76852F72Dh 0x00000058 mov dx, 42AEh 0x0000005c mov eax, 7814848Ah 0x00000061 push dword ptr [esp+24h] 0x00000065 retn 0028h 0x00000068 or word ptr [ebp+04h], bx 0x0000006c mov eax, edi 0x0000006e mov al, byte ptr [esp] 0x00000071 jmp 00007FD76852F716h 0x00000073 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 4D64FE second address: 4D651C instructions: 0x00000000 rdtsc 0x00000002 bts bx, di 0x00000006 je 00007FD769469609h 0x00000008 add ax, cx 0x0000000b jmp 00007FD7694695D3h 0x0000000d sub ebp, 02h 0x00000010 dec ax 0x00000012 jl 00007FD769469572h 0x00000014 bt edx, ebp 0x00000017 jmp 00007FD7694695A6h 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 4CE45A second address: 4CE535 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD76852F97Ch 0x00000007 mov eax, BEF135F2h 0x0000000c lea edx, dword ptr [esp+ebx] 0x0000000f mov ax, sp 0x00000012 inc ax 0x00000014 jno 00007FD76852F56Eh 0x0000001a mov eax, ebp 0x0000001c rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 4CE535 second address: 4CE55C instructions: 0x00000000 rdtsc 0x00000002 inc cl 0x00000004 mov eax, dword ptr [esp] 0x00000007 jmp 00007FD7694694F0h 0x0000000c neg eax 0x0000000e je 00007FD769469588h 0x00000010 mov eax, 7325303Fh 0x00000015 sub eax, ecx 0x00000017 xchg eax, edx 0x00000018 sub esp, 13h 0x0000001b lea esp, dword ptr [esp+03h] 0x0000001f jmp 00007FD7694695D2h 0x00000021 lea esp, dword ptr [esp+10h] 0x00000025 jmp 00007FD769469622h 0x0000002a xor cl, 0000001Ch 0x0000002d mov ah, dl 0x0000002f rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 46B96A second address: 46BA09 instructions: 0x00000000 rdtsc 0x00000002 mov cl, byte ptr [esp] 0x00000005 xchg edi, eax 0x00000007 push dword ptr [esp+14h] 0x0000000b retn 0018h 0x0000000e push 00000000h 0x00000013 jmp 00007FD76853007Fh 0x00000018 mov esi, dword ptr [esp+2Ch] 0x0000001c jmp 00007FD76852F786h 0x0000001e lea ebp, dword ptr [esp] 0x00000021 sub esp, 000000C0h 0x00000027 mov edi, esp 0x00000029 call 00007FD76852F6CCh 0x0000002e neg edx 0x00000030 mov eax, dword ptr [esp] 0x00000033 bsf ecx, ecx 0x00000036 xchg dword ptr [esp], ebx 0x00000039 add cx, B33Ch 0x0000003e jmp 00007FD76852F6EAh 0x00000040 lea eax, dword ptr [00000000h+ebx*4] 0x00000047 setp ch 0x0000004a neg cx 0x0000004d jmp 00007FD76852F72Bh 0x0000004f lea ebx, dword ptr [ebx-00000084h] 0x00000055 bswap ecx 0x00000057 add dl, ch 0x00000059 lea eax, dword ptr [00000000h+edx*4] 0x00000060 inc dx 0x00000062 btc ax, bp 0x00000066 jmp 00007FD76852F747h 0x00000068 xchg dword ptr [esp], ebx 0x0000006b mov dl, byte ptr [esp] 0x0000006e call 00007FD76852F6F4h 0x00000073 pop eax 0x00000074 mov edx, 3C867E29h 0x00000079 rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeRDTSC instruction interceptor: First address: 40E1B7 second address: 40E1C1 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 call dword ptr [0043806Ch] 0x0000000a jmp dword ptr [022CCA2Fh] 0x00000010 mov eax, dword ptr fs:[00000030h] 0x00000016 mov eax, dword ptr [eax+18h] 0x00000019 ret 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0040DC56 rdtsc 0_2_0040DC56
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: __EH_prolog3_GS,GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,0_2_0040CEF5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeWindow / User API: threadDelayed 489Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeWindow / User API: threadDelayed 2183Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeWindow / User API: threadDelayed 3571Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-71203
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_0-71204
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exe TID: 1436Thread sleep count: 73 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exe TID: 1436Thread sleep time: -292000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exe TID: 2072Thread sleep count: 489 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exe TID: 2072Thread sleep time: -489000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exe TID: 2300Thread sleep count: 2183 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exe TID: 1436Thread sleep count: 216 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exe TID: 1436Thread sleep time: -864000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exe TID: 2072Thread sleep count: 3571 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exe TID: 2072Thread sleep time: -3571000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_computersystem
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeThread sleep count: Count: 2183 delay: -10Jump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_058880E0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,0_2_058880E0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05887400 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,0_2_05887400
                  Source: Wk6IMAhBNF.exeBinary or memory string: VMware
                  Source: Wk6IMAhBNF.exeBinary or memory string: VBoxService.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: Detect as physical environment based on Hyper-V presence.[-]
                  Source: Wk6IMAhBNF.exeBinary or memory string: vmware
                  Source: Wk6IMAhBNF.exeBinary or memory string: .lnkROOT\WMISELECT * FROM MSAcpi_ThermalZoneTemperatureWQLCurrentTemperature08-00-2700-03-FF00-05-6900-0C-2900-50-56\\.\PhysicalDrive0VBoxService.exeVBoxTray.exevmware.exevmtoolsd.exeVirtual MachineTEMP\*ROOT\CIMV2SELECT * FROM SerialNumberWin32_BaseBoardNoneCaptionWin32_DiskDriveVMwareVBOXVirtual HDModelWin32_computersystemVirtualBoxFailed to create D3D11 device.Failed to create DXGI factory.CurrentUserSandboxEmilyHAPUBWSHong LeeIT-ADMINJohnsonMillermilozsPeter Wilsontimmyusersand boxmalwaremaltesttest uservirusJohn DoeSangforJOHN-PCSANDBOX7SILVIAHANSPETER-PCMUELLER-PCWIN7 - TRAPSFORTINETTEQUILABOOMBOOMrundll32.exeFailed to get executable pathavghookx.dllavghooka.dllsnxhk.dllsbiedll.dlldbghelp.dllapi_log.dlldir_watch.dllpstorec.dllvmcheck.dllwpespy.dllcmdvrt64.dllcmdvrt32.dllRtlInitUnicodeStringntdll.dllZwQueryLicenseValueKernel-VMDetection-PrivateNot SpecifiedBAD_INDEXvmwareFailed to retrieve SMBIOS data.Detect as a VM based on the number of CPU cores.[+]Detect as physical environment based on the number of CPU cores.[-]Detect as a VM based on physical memory size.[+]Detect as physical environment based on physical memory size.[-]Detect as a VM based on total disk size.[+]Detect as physical environment based on total disk size.[-]Detect as a VM based on specific processes.[+]Detect as physical environment based on specific processes.[-]Detect as a VM based on hardware information.[+]Detect as physical environment based on hardware information.[-]Detect as a VM based on system boot time.[+]Detect as physical environment based on system boot time.[-]Detect as a VM based on Hyper-V presence.[+]Detect as physical environment based on Hyper-V presence.[-]Detect as a VM based on temp file count.[+]Detect as physical environment based on temp file count.[-]Detect as a VM based on CPU temperature.[+]Detect as physical environment based on CPU temperature.[-]Detect as a VM based on GPU memory.[+]Detect as physical environment based on GPU memory.[-]Detect as a VM based on MAC address prefix.[+]Detect as physical environment based on MAC address prefix.[-]Detect as a VM based on usernames.[+]Detect as physical environment based on usernames.[-]Detect as a VM based on NetBIOS name.[+]Detect as physical environment based on NetBIOS name.[-]Detect as a VM based on rundll32 parent process.[+]Detect as physical environment based on rundll32 parent process.[-]VoidWalkerDetect as a VM based on current process filename.[+]Detect as physical environment based on current process filename.[-]Detect as a VM based on executable run path.[+]Detect as physical environment based on executable run path.[-]Detect as a VM based on DLLs loaded.[+]Detect as physical environment based on DLLs loaded.[-]Detect as a VM based on power capabilities.[+]Detect as physical environment based on power capabilities.[-]Detect as a VM based on license values.[+]Detect as physical environment based on license values.[-]Detect as a VM based on motherboard info.[+]Detect as physical environ
                  Source: Wk6IMAhBNF.exeBinary or memory string: vmtoolsd.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: vmware.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: Detect as a VM based on Hyper-V presence.[+]
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4458721208.000000000277E000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                  Source: Wk6IMAhBNF.exeBinary or memory string: VBoxTray.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: Virtual HD
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4458721208.000000000277E000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4457620055.000000000082C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeAPI call chain: ExitProcess graph end nodegraph_0-71703
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Found potential dummy code loops (likely to delay analysis)
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeProcess Stats: CPU usage > 42% for more than 60s
                  Hides threads from debuggers
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeThread information set: HideFromDebuggerJump to behavior
                  Potentially malicious time measurement code found
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0040DC56 Start: 0040E1CD End: 0040E1C10_2_0040DC56
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_004882F3 Start: 0048838D End: 004883D00_2_004882F3
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0040DC56 rdtsc 0_2_0040DC56
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02404305 LdrInitializeThunk,0_2_02404305
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0588EEFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0588EEFA
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0589043B VirtualProtect ?,-00000001,00000104,?0_2_0589043B
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05887480 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,0_2_05887480
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0042073A mov eax, dword ptr fs:[00000030h]0_2_0042073A
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0226AEAF mov ecx, dword ptr fs:[00000030h]0_2_0226AEAF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AB22E mov eax, dword ptr fs:[00000030h]0_2_022AB22E
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229C234 mov eax, dword ptr fs:[00000030h]0_2_0229C234
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229C234 mov ecx, dword ptr fs:[00000030h]0_2_0229C234
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A320F mov eax, dword ptr fs:[00000030h]0_2_022A320F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A320F mov ecx, dword ptr fs:[00000030h]0_2_022A320F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF262 mov eax, dword ptr fs:[00000030h]0_2_022BF262
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF262 mov eax, dword ptr fs:[00000030h]0_2_022BF262
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AC27F mov eax, dword ptr fs:[00000030h]0_2_022AC27F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02298273 mov eax, dword ptr fs:[00000030h]0_2_02298273
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02298273 mov ecx, dword ptr fs:[00000030h]0_2_02298273
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BB243 mov eax, dword ptr fs:[00000030h]0_2_022BB243
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BB243 mov eax, dword ptr fs:[00000030h]0_2_022BB243
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BB243 mov eax, dword ptr fs:[00000030h]0_2_022BB243
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BB243 mov eax, dword ptr fs:[00000030h]0_2_022BB243
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229E251 mov eax, dword ptr fs:[00000030h]0_2_0229E251
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229E251 mov eax, dword ptr fs:[00000030h]0_2_0229E251
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225C2ED mov eax, dword ptr fs:[00000030h]0_2_0225C2ED
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B52E7 mov eax, dword ptr fs:[00000030h]0_2_022B52E7
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B52E7 mov eax, dword ptr fs:[00000030h]0_2_022B52E7
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A72FF mov ecx, dword ptr fs:[00000030h]0_2_022A72FF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022942FF mov eax, dword ptr fs:[00000030h]0_2_022942FF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F2FF mov eax, dword ptr fs:[00000030h]0_2_0228F2FF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F2FF mov eax, dword ptr fs:[00000030h]0_2_0228F2FF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022862CD mov eax, dword ptr fs:[00000030h]0_2_022862CD
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022862CD mov eax, dword ptr fs:[00000030h]0_2_022862CD
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0226A2DA mov eax, dword ptr fs:[00000030h]0_2_0226A2DA
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229C320 mov eax, dword ptr fs:[00000030h]0_2_0229C320
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229C320 mov eax, dword ptr fs:[00000030h]0_2_0229C320
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BA327 mov eax, dword ptr fs:[00000030h]0_2_022BA327
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BA327 mov eax, dword ptr fs:[00000030h]0_2_022BA327
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF338 mov eax, dword ptr fs:[00000030h]0_2_022BF338
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF338 mov eax, dword ptr fs:[00000030h]0_2_022BF338
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B7370 mov eax, dword ptr fs:[00000030h]0_2_022B7370
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228D374 mov eax, dword ptr fs:[00000030h]0_2_0228D374
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A335F mov eax, dword ptr fs:[00000030h]0_2_022A335F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A335F mov ecx, dword ptr fs:[00000030h]0_2_022A335F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A83BF mov ecx, dword ptr fs:[00000030h]0_2_022A83BF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AC3BF mov eax, dword ptr fs:[00000030h]0_2_022AC3BF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0226B399 mov eax, dword ptr fs:[00000030h]0_2_0226B399
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A9395 mov eax, dword ptr fs:[00000030h]0_2_022A9395
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229D3EF mov eax, dword ptr fs:[00000030h]0_2_0229D3EF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A83FF mov eax, dword ptr fs:[00000030h]0_2_022A83FF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BD3CF mov eax, dword ptr fs:[00000030h]0_2_022BD3CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BD3CF mov ecx, dword ptr fs:[00000030h]0_2_022BD3CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227E03F mov eax, dword ptr fs:[00000030h]0_2_0227E03F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02283030 mov eax, dword ptr fs:[00000030h]0_2_02283030
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02283030 mov eax, dword ptr fs:[00000030h]0_2_02283030
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02283030 mov eax, dword ptr fs:[00000030h]0_2_02283030
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02283030 mov eax, dword ptr fs:[00000030h]0_2_02283030
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02283030 mov eax, dword ptr fs:[00000030h]0_2_02283030
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229001F mov eax, dword ptr fs:[00000030h]0_2_0229001F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229C01F mov eax, dword ptr fs:[00000030h]0_2_0229C01F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B507B mov eax, dword ptr fs:[00000030h]0_2_022B507B
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B507B mov eax, dword ptr fs:[00000030h]0_2_022B507B
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F07F mov eax, dword ptr fs:[00000030h]0_2_0228F07F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F07F mov eax, dword ptr fs:[00000030h]0_2_0228F07F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F07F mov eax, dword ptr fs:[00000030h]0_2_0228F07F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F07F mov eax, dword ptr fs:[00000030h]0_2_0228F07F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AC04F mov eax, dword ptr fs:[00000030h]0_2_022AC04F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229C059 mov eax, dword ptr fs:[00000030h]0_2_0229C059
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A90AF mov eax, dword ptr fs:[00000030h]0_2_022A90AF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A90AF mov eax, dword ptr fs:[00000030h]0_2_022A90AF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A90AF mov eax, dword ptr fs:[00000030h]0_2_022A90AF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A90AF mov eax, dword ptr fs:[00000030h]0_2_022A90AF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A90AF mov eax, dword ptr fs:[00000030h]0_2_022A90AF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022650BF mov eax, dword ptr fs:[00000030h]0_2_022650BF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229E0EE mov eax, dword ptr fs:[00000030h]0_2_0229E0EE
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022900CF mov eax, dword ptr fs:[00000030h]0_2_022900CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF0CC mov eax, dword ptr fs:[00000030h]0_2_022BF0CC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF0CC mov eax, dword ptr fs:[00000030h]0_2_022BF0CC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF0CC mov eax, dword ptr fs:[00000030h]0_2_022BF0CC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF0CC mov eax, dword ptr fs:[00000030h]0_2_022BF0CC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B5129 mov eax, dword ptr fs:[00000030h]0_2_022B5129
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227D13F mov eax, dword ptr fs:[00000030h]0_2_0227D13F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227D13F mov ecx, dword ptr fs:[00000030h]0_2_0227D13F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227D13F mov eax, dword ptr fs:[00000030h]0_2_0227D13F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229D16C mov eax, dword ptr fs:[00000030h]0_2_0229D16C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229D16C mov eax, dword ptr fs:[00000030h]0_2_0229D16C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229E173 mov eax, dword ptr fs:[00000030h]0_2_0229E173
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229C195 mov eax, dword ptr fs:[00000030h]0_2_0229C195
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0226B1FC mov eax, dword ptr fs:[00000030h]0_2_0226B1FC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0226B1FC mov ecx, dword ptr fs:[00000030h]0_2_0226B1FC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0226B1FC mov eax, dword ptr fs:[00000030h]0_2_0226B1FC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BE1CE mov eax, dword ptr fs:[00000030h]0_2_022BE1CE
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BE1CE mov eax, dword ptr fs:[00000030h]0_2_022BE1CE
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022631DF mov eax, dword ptr fs:[00000030h]0_2_022631DF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022631DF mov ecx, dword ptr fs:[00000030h]0_2_022631DF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A663F mov eax, dword ptr fs:[00000030h]0_2_022A663F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A663F mov eax, dword ptr fs:[00000030h]0_2_022A663F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B1636 mov eax, dword ptr fs:[00000030h]0_2_022B1636
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B1636 mov ecx, dword ptr fs:[00000030h]0_2_022B1636
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BE609 mov eax, dword ptr fs:[00000030h]0_2_022BE609
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228C66F mov eax, dword ptr fs:[00000030h]0_2_0228C66F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228C66F mov eax, dword ptr fs:[00000030h]0_2_0228C66F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228C66F mov eax, dword ptr fs:[00000030h]0_2_0228C66F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B964D mov eax, dword ptr fs:[00000030h]0_2_022B964D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BB646 mov eax, dword ptr fs:[00000030h]0_2_022BB646
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228D65F mov eax, dword ptr fs:[00000030h]0_2_0228D65F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228D65F mov ecx, dword ptr fs:[00000030h]0_2_0228D65F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B6653 mov eax, dword ptr fs:[00000030h]0_2_022B6653
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227C6EF mov eax, dword ptr fs:[00000030h]0_2_0227C6EF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227C6EF mov ecx, dword ptr fs:[00000030h]0_2_0227C6EF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AC6FB mov eax, dword ptr fs:[00000030h]0_2_022AC6FB
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022906CF mov eax, dword ptr fs:[00000030h]0_2_022906CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229E6DF mov eax, dword ptr fs:[00000030h]0_2_0229E6DF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229E6DF mov eax, dword ptr fs:[00000030h]0_2_0229E6DF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AA728 mov eax, dword ptr fs:[00000030h]0_2_022AA728
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AA728 mov eax, dword ptr fs:[00000030h]0_2_022AA728
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AA728 mov eax, dword ptr fs:[00000030h]0_2_022AA728
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AA728 mov eax, dword ptr fs:[00000030h]0_2_022AA728
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AA728 mov ecx, dword ptr fs:[00000030h]0_2_022AA728
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BB728 mov eax, dword ptr fs:[00000030h]0_2_022BB728
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A7720 mov eax, dword ptr fs:[00000030h]0_2_022A7720
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A7720 mov ecx, dword ptr fs:[00000030h]0_2_022A7720
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BE737 mov eax, dword ptr fs:[00000030h]0_2_022BE737
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BE737 mov eax, dword ptr fs:[00000030h]0_2_022BE737
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0226B716 mov eax, dword ptr fs:[00000030h]0_2_0226B716
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0226B716 mov eax, dword ptr fs:[00000030h]0_2_0226B716
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228171F mov eax, dword ptr fs:[00000030h]0_2_0228171F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A2771 mov eax, dword ptr fs:[00000030h]0_2_022A2771
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A2771 mov eax, dword ptr fs:[00000030h]0_2_022A2771
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A2771 mov eax, dword ptr fs:[00000030h]0_2_022A2771
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228A777 mov eax, dword ptr fs:[00000030h]0_2_0228A777
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228A777 mov eax, dword ptr fs:[00000030h]0_2_0228A777
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228A777 mov eax, dword ptr fs:[00000030h]0_2_0228A777
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228A777 mov eax, dword ptr fs:[00000030h]0_2_0228A777
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B57A2 mov eax, dword ptr fs:[00000030h]0_2_022B57A2
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B57A2 mov eax, dword ptr fs:[00000030h]0_2_022B57A2
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229E78F mov eax, dword ptr fs:[00000030h]0_2_0229E78F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229E78F mov eax, dword ptr fs:[00000030h]0_2_0229E78F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228379E mov ecx, dword ptr fs:[00000030h]0_2_0228379E
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228379E mov eax, dword ptr fs:[00000030h]0_2_0228379E
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F7FF mov eax, dword ptr fs:[00000030h]0_2_0228F7FF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F7FF mov eax, dword ptr fs:[00000030h]0_2_0228F7FF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F7FF mov eax, dword ptr fs:[00000030h]0_2_0228F7FF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F7FF mov eax, dword ptr fs:[00000030h]0_2_0228F7FF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022907D6 mov eax, dword ptr fs:[00000030h]0_2_022907D6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228B42C mov eax, dword ptr fs:[00000030h]0_2_0228B42C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228B42C mov eax, dword ptr fs:[00000030h]0_2_0228B42C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228B42C mov ecx, dword ptr fs:[00000030h]0_2_0228B42C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228C43F mov eax, dword ptr fs:[00000030h]0_2_0228C43F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228C43F mov eax, dword ptr fs:[00000030h]0_2_0228C43F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228C43F mov eax, dword ptr fs:[00000030h]0_2_0228C43F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228C43F mov eax, dword ptr fs:[00000030h]0_2_0228C43F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225C43F mov eax, dword ptr fs:[00000030h]0_2_0225C43F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225C43F mov eax, dword ptr fs:[00000030h]0_2_0225C43F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225C43F mov eax, dword ptr fs:[00000030h]0_2_0225C43F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225C43F mov eax, dword ptr fs:[00000030h]0_2_0225C43F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B24A4 mov eax, dword ptr fs:[00000030h]0_2_022B24A4
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B24A4 mov eax, dword ptr fs:[00000030h]0_2_022B24A4
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A848F mov ecx, dword ptr fs:[00000030h]0_2_022A848F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BB495 mov eax, dword ptr fs:[00000030h]0_2_022BB495
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BB495 mov eax, dword ptr fs:[00000030h]0_2_022BB495
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229D4EF mov eax, dword ptr fs:[00000030h]0_2_0229D4EF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AB4E7 mov eax, dword ptr fs:[00000030h]0_2_022AB4E7
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AB4E7 mov eax, dword ptr fs:[00000030h]0_2_022AB4E7
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AB4E7 mov eax, dword ptr fs:[00000030h]0_2_022AB4E7
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AB4E7 mov eax, dword ptr fs:[00000030h]0_2_022AB4E7
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AB4E7 mov eax, dword ptr fs:[00000030h]0_2_022AB4E7
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AB4E7 mov eax, dword ptr fs:[00000030h]0_2_022AB4E7
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AB4E7 mov eax, dword ptr fs:[00000030h]0_2_022AB4E7
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AB4E7 mov eax, dword ptr fs:[00000030h]0_2_022AB4E7
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022AB4E7 mov eax, dword ptr fs:[00000030h]0_2_022AB4E7
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F4CF mov eax, dword ptr fs:[00000030h]0_2_0228F4CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F4CF mov eax, dword ptr fs:[00000030h]0_2_0228F4CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F4CF mov eax, dword ptr fs:[00000030h]0_2_0228F4CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F4CF mov ecx, dword ptr fs:[00000030h]0_2_0228F4CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F4CF mov eax, dword ptr fs:[00000030h]0_2_0228F4CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F4CF mov eax, dword ptr fs:[00000030h]0_2_0228F4CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F4CF mov eax, dword ptr fs:[00000030h]0_2_0228F4CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F4CF mov eax, dword ptr fs:[00000030h]0_2_0228F4CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228F4CF mov eax, dword ptr fs:[00000030h]0_2_0228F4CF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229D52F mov eax, dword ptr fs:[00000030h]0_2_0229D52F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BC571 mov eax, dword ptr fs:[00000030h]0_2_022BC571
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF5B5 mov eax, dword ptr fs:[00000030h]0_2_022BF5B5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF5B5 mov eax, dword ptr fs:[00000030h]0_2_022BF5B5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF5B5 mov eax, dword ptr fs:[00000030h]0_2_022BF5B5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF5B5 mov eax, dword ptr fs:[00000030h]0_2_022BF5B5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228B5B6 mov eax, dword ptr fs:[00000030h]0_2_0228B5B6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228B5B6 mov eax, dword ptr fs:[00000030h]0_2_0228B5B6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228B5B6 mov eax, dword ptr fs:[00000030h]0_2_0228B5B6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FA3F mov eax, dword ptr fs:[00000030h]0_2_0228FA3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FA3F mov eax, dword ptr fs:[00000030h]0_2_0228FA3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FA3F mov ecx, dword ptr fs:[00000030h]0_2_0228FA3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FA3F mov eax, dword ptr fs:[00000030h]0_2_0228FA3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FA3F mov eax, dword ptr fs:[00000030h]0_2_0228FA3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FA3F mov eax, dword ptr fs:[00000030h]0_2_0228FA3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FA3F mov eax, dword ptr fs:[00000030h]0_2_0228FA3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229DA1F mov eax, dword ptr fs:[00000030h]0_2_0229DA1F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229DA1F mov eax, dword ptr fs:[00000030h]0_2_0229DA1F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EA7F mov eax, dword ptr fs:[00000030h]0_2_0229EA7F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225BA86 mov eax, dword ptr fs:[00000030h]0_2_0225BA86
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225BA86 mov ecx, dword ptr fs:[00000030h]0_2_0225BA86
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A3AFF mov eax, dword ptr fs:[00000030h]0_2_022A3AFF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A3AFF mov eax, dword ptr fs:[00000030h]0_2_022A3AFF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228AACF mov eax, dword ptr fs:[00000030h]0_2_0228AACF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228AACF mov eax, dword ptr fs:[00000030h]0_2_0228AACF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228AACF mov eax, dword ptr fs:[00000030h]0_2_0228AACF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228AACF mov eax, dword ptr fs:[00000030h]0_2_0228AACF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EADF mov eax, dword ptr fs:[00000030h]0_2_0229EADF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EADF mov eax, dword ptr fs:[00000030h]0_2_0229EADF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02289B22 mov ecx, dword ptr fs:[00000030h]0_2_02289B22
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02289B22 mov eax, dword ptr fs:[00000030h]0_2_02289B22
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A9B3F mov eax, dword ptr fs:[00000030h]0_2_022A9B3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A9B3F mov ecx, dword ptr fs:[00000030h]0_2_022A9B3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229DB0D mov eax, dword ptr fs:[00000030h]0_2_0229DB0D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229DB0D mov eax, dword ptr fs:[00000030h]0_2_0229DB0D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BBB11 mov eax, dword ptr fs:[00000030h]0_2_022BBB11
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BBB11 mov eax, dword ptr fs:[00000030h]0_2_022BBB11
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BDB4E mov eax, dword ptr fs:[00000030h]0_2_022BDB4E
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BDB4E mov ecx, dword ptr fs:[00000030h]0_2_022BDB4E
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B5BAF mov eax, dword ptr fs:[00000030h]0_2_022B5BAF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A2B9B mov eax, dword ptr fs:[00000030h]0_2_022A2B9B
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A2B9B mov eax, dword ptr fs:[00000030h]0_2_022A2B9B
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B5BF3 mov eax, dword ptr fs:[00000030h]0_2_022B5BF3
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B5BF3 mov eax, dword ptr fs:[00000030h]0_2_022B5BF3
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EBDF mov eax, dword ptr fs:[00000030h]0_2_0229EBDF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF823 mov eax, dword ptr fs:[00000030h]0_2_022BF823
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0226087E mov eax, dword ptr fs:[00000030h]0_2_0226087E
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A3873 mov eax, dword ptr fs:[00000030h]0_2_022A3873
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B6845 mov eax, dword ptr fs:[00000030h]0_2_022B6845
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B6845 mov eax, dword ptr fs:[00000030h]0_2_022B6845
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B6845 mov eax, dword ptr fs:[00000030h]0_2_022B6845
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A185B mov ecx, dword ptr fs:[00000030h]0_2_022A185B
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BB8B9 mov eax, dword ptr fs:[00000030h]0_2_022BB8B9
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BB8B9 mov eax, dword ptr fs:[00000030h]0_2_022BB8B9
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B288D mov eax, dword ptr fs:[00000030h]0_2_022B288D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B288D mov eax, dword ptr fs:[00000030h]0_2_022B288D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B288D mov eax, dword ptr fs:[00000030h]0_2_022B288D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B288D mov ecx, dword ptr fs:[00000030h]0_2_022B288D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B288D mov eax, dword ptr fs:[00000030h]0_2_022B288D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B288D mov ecx, dword ptr fs:[00000030h]0_2_022B288D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B5881 mov eax, dword ptr fs:[00000030h]0_2_022B5881
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B5881 mov eax, dword ptr fs:[00000030h]0_2_022B5881
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A78EF mov eax, dword ptr fs:[00000030h]0_2_022A78EF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A78EF mov ecx, dword ptr fs:[00000030h]0_2_022A78EF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF8F0 mov eax, dword ptr fs:[00000030h]0_2_022BF8F0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BE8C0 mov eax, dword ptr fs:[00000030h]0_2_022BE8C0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BE8C0 mov eax, dword ptr fs:[00000030h]0_2_022BE8C0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228D8DF mov eax, dword ptr fs:[00000030h]0_2_0228D8DF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228D8DF mov ecx, dword ptr fs:[00000030h]0_2_0228D8DF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228A94D mov eax, dword ptr fs:[00000030h]0_2_0228A94D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228A94D mov eax, dword ptr fs:[00000030h]0_2_0228A94D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022909A2 mov eax, dword ptr fs:[00000030h]0_2_022909A2
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022909A2 mov eax, dword ptr fs:[00000030h]0_2_022909A2
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022909A2 mov eax, dword ptr fs:[00000030h]0_2_022909A2
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022909A2 mov eax, dword ptr fs:[00000030h]0_2_022909A2
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF9BD mov eax, dword ptr fs:[00000030h]0_2_022BF9BD
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF9BD mov eax, dword ptr fs:[00000030h]0_2_022BF9BD
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BF9BD mov eax, dword ptr fs:[00000030h]0_2_022BF9BD
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229D9BF mov eax, dword ptr fs:[00000030h]0_2_0229D9BF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0226B9BB mov eax, dword ptr fs:[00000030h]0_2_0226B9BB
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0226B9BB mov eax, dword ptr fs:[00000030h]0_2_0226B9BB
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B9E2E mov eax, dword ptr fs:[00000030h]0_2_022B9E2E
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A2E3F mov eax, dword ptr fs:[00000030h]0_2_022A2E3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A2E3F mov ecx, dword ptr fs:[00000030h]0_2_022A2E3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A7E09 mov eax, dword ptr fs:[00000030h]0_2_022A7E09
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A7E09 mov eax, dword ptr fs:[00000030h]0_2_022A7E09
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A7E09 mov eax, dword ptr fs:[00000030h]0_2_022A7E09
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A7E09 mov eax, dword ptr fs:[00000030h]0_2_022A7E09
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A7E09 mov ecx, dword ptr fs:[00000030h]0_2_022A7E09
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02285E6C mov eax, dword ptr fs:[00000030h]0_2_02285E6C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02281E7D mov eax, dword ptr fs:[00000030h]0_2_02281E7D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B2E49 mov eax, dword ptr fs:[00000030h]0_2_022B2E49
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228AE46 mov eax, dword ptr fs:[00000030h]0_2_0228AE46
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228AE46 mov eax, dword ptr fs:[00000030h]0_2_0228AE46
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022ABE5F mov eax, dword ptr fs:[00000030h]0_2_022ABE5F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FEAB mov eax, dword ptr fs:[00000030h]0_2_0228FEAB
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FEAB mov eax, dword ptr fs:[00000030h]0_2_0228FEAB
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B4EBA mov eax, dword ptr fs:[00000030h]0_2_022B4EBA
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228AE8C mov eax, dword ptr fs:[00000030h]0_2_0228AE8C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228AE8C mov eax, dword ptr fs:[00000030h]0_2_0228AE8C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228AE8C mov ecx, dword ptr fs:[00000030h]0_2_0228AE8C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A1E85 mov eax, dword ptr fs:[00000030h]0_2_022A1E85
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A1E85 mov eax, dword ptr fs:[00000030h]0_2_022A1E85
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A1E85 mov eax, dword ptr fs:[00000030h]0_2_022A1E85
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A6E93 mov eax, dword ptr fs:[00000030h]0_2_022A6E93
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A6E93 mov eax, dword ptr fs:[00000030h]0_2_022A6E93
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A6E93 mov eax, dword ptr fs:[00000030h]0_2_022A6E93
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A6E93 mov eax, dword ptr fs:[00000030h]0_2_022A6E93
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A6E93 mov eax, dword ptr fs:[00000030h]0_2_022A6E93
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A6E93 mov eax, dword ptr fs:[00000030h]0_2_022A6E93
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A6E93 mov ecx, dword ptr fs:[00000030h]0_2_022A6E93
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A6E93 mov eax, dword ptr fs:[00000030h]0_2_022A6E93
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229DE93 mov eax, dword ptr fs:[00000030h]0_2_0229DE93
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229DE93 mov ecx, dword ptr fs:[00000030h]0_2_0229DE93
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227CECF mov eax, dword ptr fs:[00000030h]0_2_0227CECF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227CECF mov eax, dword ptr fs:[00000030h]0_2_0227CECF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227CECF mov eax, dword ptr fs:[00000030h]0_2_0227CECF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225FED0 mov eax, dword ptr fs:[00000030h]0_2_0225FED0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225FED0 mov eax, dword ptr fs:[00000030h]0_2_0225FED0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225FED0 mov eax, dword ptr fs:[00000030h]0_2_0225FED0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229DF3F mov eax, dword ptr fs:[00000030h]0_2_0229DF3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229DF3F mov eax, dword ptr fs:[00000030h]0_2_0229DF3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229DF3F mov eax, dword ptr fs:[00000030h]0_2_0229DF3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229DF3F mov ecx, dword ptr fs:[00000030h]0_2_0229DF3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02263F0B mov eax, dword ptr fs:[00000030h]0_2_02263F0B
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02263F0B mov ecx, dword ptr fs:[00000030h]0_2_02263F0B
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A1F10 mov eax, dword ptr fs:[00000030h]0_2_022A1F10
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02292F12 mov eax, dword ptr fs:[00000030h]0_2_02292F12
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02292F12 mov eax, dword ptr fs:[00000030h]0_2_02292F12
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227BF6F mov eax, dword ptr fs:[00000030h]0_2_0227BF6F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227BF6F mov ecx, dword ptr fs:[00000030h]0_2_0227BF6F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227BF6F mov eax, dword ptr fs:[00000030h]0_2_0227BF6F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02285F5F mov eax, dword ptr fs:[00000030h]0_2_02285F5F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02285F5F mov eax, dword ptr fs:[00000030h]0_2_02285F5F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BCFAF mov ecx, dword ptr fs:[00000030h]0_2_022BCFAF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A2F8F mov eax, dword ptr fs:[00000030h]0_2_022A2F8F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A2F8F mov ecx, dword ptr fs:[00000030h]0_2_022A2F8F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B2F98 mov eax, dword ptr fs:[00000030h]0_2_022B2F98
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02281F9C mov eax, dword ptr fs:[00000030h]0_2_02281F9C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02281F9C mov ecx, dword ptr fs:[00000030h]0_2_02281F9C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02281F9C mov eax, dword ptr fs:[00000030h]0_2_02281F9C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02281F9C mov eax, dword ptr fs:[00000030h]0_2_02281F9C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02281F9C mov eax, dword ptr fs:[00000030h]0_2_02281F9C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02281F9C mov eax, dword ptr fs:[00000030h]0_2_02281F9C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B9F97 mov eax, dword ptr fs:[00000030h]0_2_022B9F97
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BDFEC mov eax, dword ptr fs:[00000030h]0_2_022BDFEC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BEFDF mov eax, dword ptr fs:[00000030h]0_2_022BEFDF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022BEFDF mov eax, dword ptr fs:[00000030h]0_2_022BEFDF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022ABFDF mov eax, dword ptr fs:[00000030h]0_2_022ABFDF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227DC35 mov eax, dword ptr fs:[00000030h]0_2_0227DC35
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227DC35 mov eax, dword ptr fs:[00000030h]0_2_0227DC35
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227DC35 mov eax, dword ptr fs:[00000030h]0_2_0227DC35
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EC3F mov eax, dword ptr fs:[00000030h]0_2_0229EC3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EC3F mov eax, dword ptr fs:[00000030h]0_2_0229EC3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EC3F mov eax, dword ptr fs:[00000030h]0_2_0229EC3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EC3F mov eax, dword ptr fs:[00000030h]0_2_0229EC3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EC3F mov eax, dword ptr fs:[00000030h]0_2_0229EC3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EC3F mov eax, dword ptr fs:[00000030h]0_2_0229EC3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EC3F mov eax, dword ptr fs:[00000030h]0_2_0229EC3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EC3F mov eax, dword ptr fs:[00000030h]0_2_0229EC3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EC3F mov eax, dword ptr fs:[00000030h]0_2_0229EC3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229EC3F mov eax, dword ptr fs:[00000030h]0_2_0229EC3F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225EC06 mov eax, dword ptr fs:[00000030h]0_2_0225EC06
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229FC0A mov eax, dword ptr fs:[00000030h]0_2_0229FC0A
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225FC12 mov eax, dword ptr fs:[00000030h]0_2_0225FC12
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02263C60 mov esi, dword ptr fs:[00000030h]0_2_02263C60
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B2C79 mov eax, dword ptr fs:[00000030h]0_2_022B2C79
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B2C79 mov eax, dword ptr fs:[00000030h]0_2_022B2C79
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B2C79 mov eax, dword ptr fs:[00000030h]0_2_022B2C79
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229FC70 mov eax, dword ptr fs:[00000030h]0_2_0229FC70
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A9C5F mov eax, dword ptr fs:[00000030h]0_2_022A9C5F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A4CAF mov ecx, dword ptr fs:[00000030h]0_2_022A4CAF
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225EC85 mov eax, dword ptr fs:[00000030h]0_2_0225EC85
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225EC85 mov eax, dword ptr fs:[00000030h]0_2_0225EC85
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229DC8D mov eax, dword ptr fs:[00000030h]0_2_0229DC8D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0229DC8D mov ecx, dword ptr fs:[00000030h]0_2_0229DC8D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B4C98 mov eax, dword ptr fs:[00000030h]0_2_022B4C98
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B4C98 mov eax, dword ptr fs:[00000030h]0_2_022B4C98
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B4C98 mov eax, dword ptr fs:[00000030h]0_2_022B4C98
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225EC9F mov eax, dword ptr fs:[00000030h]0_2_0225EC9F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0225EC9F mov eax, dword ptr fs:[00000030h]0_2_0225EC9F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02291CED mov eax, dword ptr fs:[00000030h]0_2_02291CED
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02291CED mov eax, dword ptr fs:[00000030h]0_2_02291CED
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02289CC6 mov ecx, dword ptr fs:[00000030h]0_2_02289CC6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_02289CC6 mov eax, dword ptr fs:[00000030h]0_2_02289CC6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FD0F mov eax, dword ptr fs:[00000030h]0_2_0228FD0F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FD0F mov eax, dword ptr fs:[00000030h]0_2_0228FD0F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FD0F mov eax, dword ptr fs:[00000030h]0_2_0228FD0F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228FD0F mov eax, dword ptr fs:[00000030h]0_2_0228FD0F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B4D06 mov eax, dword ptr fs:[00000030h]0_2_022B4D06
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227BD60 mov eax, dword ptr fs:[00000030h]0_2_0227BD60
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227BD60 mov eax, dword ptr fs:[00000030h]0_2_0227BD60
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0227BD60 mov eax, dword ptr fs:[00000030h]0_2_0227BD60
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A9D53 mov eax, dword ptr fs:[00000030h]0_2_022A9D53
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A9D53 mov eax, dword ptr fs:[00000030h]0_2_022A9D53
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A9D53 mov eax, dword ptr fs:[00000030h]0_2_022A9D53
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A9D53 mov eax, dword ptr fs:[00000030h]0_2_022A9D53
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022A9D53 mov ecx, dword ptr fs:[00000030h]0_2_022A9D53
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022B4DE0 mov eax, dword ptr fs:[00000030h]0_2_022B4DE0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228ADDE mov eax, dword ptr fs:[00000030h]0_2_0228ADDE
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228ADDE mov eax, dword ptr fs:[00000030h]0_2_0228ADDE
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228ADDE mov eax, dword ptr fs:[00000030h]0_2_0228ADDE
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0228ADDE mov eax, dword ptr fs:[00000030h]0_2_0228ADDE
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D01EA mov eax, dword ptr fs:[00000030h]0_2_023D01EA
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D01EA mov eax, dword ptr fs:[00000030h]0_2_023D01EA
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D01EA mov eax, dword ptr fs:[00000030h]0_2_023D01EA
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D01EA mov eax, dword ptr fs:[00000030h]0_2_023D01EA
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D01EA mov eax, dword ptr fs:[00000030h]0_2_023D01EA
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D01EA mov eax, dword ptr fs:[00000030h]0_2_023D01EA
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D0425 mov eax, dword ptr fs:[00000030h]0_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D0425 mov eax, dword ptr fs:[00000030h]0_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D0425 mov eax, dword ptr fs:[00000030h]0_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D0425 mov eax, dword ptr fs:[00000030h]0_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D0425 mov eax, dword ptr fs:[00000030h]0_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D0425 mov eax, dword ptr fs:[00000030h]0_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D0425 mov eax, dword ptr fs:[00000030h]0_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D0425 mov eax, dword ptr fs:[00000030h]0_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D0425 mov eax, dword ptr fs:[00000030h]0_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D0425 mov eax, dword ptr fs:[00000030h]0_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D0425 mov eax, dword ptr fs:[00000030h]0_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D0425 mov eax, dword ptr fs:[00000030h]0_2_023D0425
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov ecx, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov ecx, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov ecx, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov ecx, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov ecx, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov ecx, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D39F5 mov eax, dword ptr fs:[00000030h]0_2_023D39F5
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov ecx, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov ecx, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov ecx, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov ecx, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023D6D75 mov eax, dword ptr fs:[00000030h]0_2_023D6D75
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023F423D mov eax, dword ptr fs:[00000030h]0_2_023F423D
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023C2237 mov eax, dword ptr fs:[00000030h]0_2_023C2237
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023C2237 mov ecx, dword ptr fs:[00000030h]0_2_023C2237
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0244B249 mov eax, dword ptr fs:[00000030h]0_2_0244B249
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0244B249 mov eax, dword ptr fs:[00000030h]0_2_0244B249
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0244025C mov eax, dword ptr fs:[00000030h]0_2_0244025C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0244025C mov eax, dword ptr fs:[00000030h]0_2_0244025C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0244025C mov eax, dword ptr fs:[00000030h]0_2_0244025C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0245D265 mov eax, dword ptr fs:[00000030h]0_2_0245D265
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0245D265 mov eax, dword ptr fs:[00000030h]0_2_0245D265
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0249326B mov eax, dword ptr fs:[00000030h]0_2_0249326B
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0245326F mov eax, dword ptr fs:[00000030h]0_2_0245326F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0245326F mov eax, dword ptr fs:[00000030h]0_2_0245326F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0245326F mov eax, dword ptr fs:[00000030h]0_2_0245326F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0245326F mov eax, dword ptr fs:[00000030h]0_2_0245326F
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023BB217 mov eax, dword ptr fs:[00000030h]0_2_023BB217
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0247F273 mov eax, dword ptr fs:[00000030h]0_2_0247F273
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0249527E mov eax, dword ptr fs:[00000030h]0_2_0249527E
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023C8205 mov eax, dword ptr fs:[00000030h]0_2_023C8205
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_023C8205 mov eax, dword ptr fs:[00000030h]0_2_023C8205
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022881FC mov eax, dword ptr fs:[00000030h]0_2_022881FC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022881FC mov eax, dword ptr fs:[00000030h]0_2_022881FC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022881FC mov eax, dword ptr fs:[00000030h]0_2_022881FC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022881FC mov eax, dword ptr fs:[00000030h]0_2_022881FC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022881FC mov eax, dword ptr fs:[00000030h]0_2_022881FC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022881FC mov eax, dword ptr fs:[00000030h]0_2_022881FC
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022868D6 mov eax, dword ptr fs:[00000030h]0_2_022868D6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022868D6 mov eax, dword ptr fs:[00000030h]0_2_022868D6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022868D6 mov eax, dword ptr fs:[00000030h]0_2_022868D6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022868D6 mov eax, dword ptr fs:[00000030h]0_2_022868D6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022868D6 mov eax, dword ptr fs:[00000030h]0_2_022868D6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_022868D6 mov eax, dword ptr fs:[00000030h]0_2_022868D6
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05886760 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,0_2_05886760
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0588DE70 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,0_2_0588DE70
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0588EEFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0588EEFA
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05891E57 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_05891E57

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_058877D0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,0_2_058877D0
                  Contains functionality to inject threads in other processes
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_058877D0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,0_2_058877D0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe0_2_058877D0
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe0_2_058877D0
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4458910784.00000000029AC000.00000040.00000800.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000003.2268938025.0000000002544000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4460447783.0000000006D40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 min897506Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program ManagermQ
                  Source: Wk6IMAhBNF.exe, 00000000.00000002.4458910784.00000000029AC000.00000040.00000800.00020000.00000000.sdmp, Wk6IMAhBNF.exe, 00000000.00000003.2268938025.0000000002544000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0041910C cpuid 0_2_0041910C
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,0_2_05885430
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_0588DE70 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,0_2_0588DE70
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05895C12 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,0_2_05895C12
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeCode function: 0_2_05886A40 wsprintfW,GetCurrentProcessId,wsprintfW,_memset,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,0_2_05886A40
                  Source: Wk6IMAhBNF.exeBinary or memory string: acs.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: avcenter.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: vsserv.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: cfp.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: avp.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: rtvscan.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: TMBMSRV.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: ashDisp.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: avgwdsvc.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: AYAgent.aye
                  Source: Wk6IMAhBNF.exeBinary or memory string: QUHLPSVC.EXE
                  Source: Wk6IMAhBNF.exeBinary or memory string: RavMonD.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: Mcshield.exe
                  Source: Wk6IMAhBNF.exeBinary or memory string: K7TSecurity.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected GhostRat
                  Source: Yara matchFile source: Process Memory Space: Wk6IMAhBNF.exe PID: 2148, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\Wk6IMAhBNF.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior

                  Remote Access Functionality

                  barindex
                  Yara detected GhostRat
                  Source: Yara matchFile source: Process Memory Space: Wk6IMAhBNF.exe PID: 2148, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Replication Through Removable Media                  		22
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		12
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts11
                  Native API                  		Boot or Logon Initialization Scripts1
                  Access Token Manipulation                  		1
                  Deobfuscate/Decode Files or Information                  		131
                  Input Capture                  		11
                  Peripheral Device Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  Command and Scripting Interpreter                  		Logon Script (Windows)211
                  Process Injection                  		4
                  Obfuscated Files or Information                  		Security Account Manager1
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook21
                  Software Packing                  		NTDS456
                  System Information Discovery                  		Distributed Component Object Model131
                  Input Capture                  		Protocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets1071
                  Security Software Discovery                  		SSH2
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Modify Registry                  		Cached Domain Credentials551
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items551
                  Virtualization/Sandbox Evasion                  		DCSync3
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Network Configuration Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Indicator Removal                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Wk6IMAhBNF.exe47%VirustotalBrowse
                  Wk6IMAhBNF.exe58%ReversingLabsWin32.Backdoor.Farfli
                  Wk6IMAhBNF.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  103.199.100.97
                  		unknownHong Kong
                  		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                  103.199.100.130
                  		unknownHong Kong
                  		136800XIAOZHIYUN1-AS-APICIDCNETWORKUSfalse

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1581277
                  Start date and time:2024-12-27 09:56:05 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 58s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:4
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Wk6IMAhBNF.exe
                  renamed because original name is a hash value
                  Original Sample Name:FF61853AA5A10D3FE8FBE0D5470DB9D0.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@1/0@0/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 95%
                  • Number of executed functions: 142
                  • Number of non-executed functions: 247
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  03:58:01API Interceptor1794036x Sleep call for process: Wk6IMAhBNF.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  XIAOZHIYUN1-AS-APICIDCNETWORKUSaQ7bSXduYp.exeGet hashmaliciousGhostRat, NitolBrowse
                  • 156.225.22.155
                  mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.199.102.178
                  nsharm.elfGet hashmaliciousMiraiBrowse
                  • 156.234.199.255
                  loligang.arm7.elfGet hashmaliciousMiraiBrowse
                  • 156.234.199.204
                  loligang.spc.elfGet hashmaliciousMiraiBrowse
                  • 45.207.113.55
                  arm5.nn-20241218-0633.elfGet hashmaliciousMirai, OkiruBrowse
                  • 156.226.203.160
                  jew.mpsl.elfGet hashmaliciousUnknownBrowse
                  • 156.226.185.157
                  powerpc.elfGet hashmaliciousUnknownBrowse
                  • 154.222.104.79
                  arm6.elfGet hashmaliciousUnknownBrowse
                  • 156.241.59.21
                  x86_64.elfGet hashmaliciousMiraiBrowse
                  • 156.253.67.13
                  XIAOZHIYUN1-AS-APICIDCNETWORKUSaQ7bSXduYp.exeGet hashmaliciousGhostRat, NitolBrowse
                  • 156.225.22.155
                  mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.199.102.178
                  nsharm.elfGet hashmaliciousMiraiBrowse
                  • 156.234.199.255
                  loligang.arm7.elfGet hashmaliciousMiraiBrowse
                  • 156.234.199.204
                  loligang.spc.elfGet hashmaliciousMiraiBrowse
                  • 45.207.113.55
                  arm5.nn-20241218-0633.elfGet hashmaliciousMirai, OkiruBrowse
                  • 156.226.203.160
                  jew.mpsl.elfGet hashmaliciousUnknownBrowse
                  • 156.226.185.157
                  powerpc.elfGet hashmaliciousUnknownBrowse
                  • 154.222.104.79
                  arm6.elfGet hashmaliciousUnknownBrowse
                  • 156.241.59.21
                  x86_64.elfGet hashmaliciousMiraiBrowse
                  • 156.253.67.13

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.399987787468489
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:Wk6IMAhBNF.exe
                  File size:1'151'488 bytes
                  MD5:ff61853aa5a10d3fe8fbe0d5470db9d0
                  SHA1:bc6f2373b942643d275a062ac01367b197c3ad24
                  SHA256:ec234980252c20fc05b927ffa9bc292c88f210bda8e2e532a38cf9cbd1e72557
                  SHA512:efaf057bccde37bdda973f32162b8ba622f3068cb070b620ddfada51fe217cc2ee628392e12941fa52094714cbce3636707465dda8548e6c4ea83d9963373699
                  SSDEEP:24576:zn9SATrbtCU1YU1ypNXtFwKaUgRirSKlcpnm3tJZGRhJ:70etbj1MN9FwKvS1CO
                  TLSH:6035C041EF846235F76206314925B6A8957EADA10F7C866FB3E837196FF02F05433B26
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;................bl.m....bn......bo.a...v...~...D...e...D.......D...Z.......}...........v...f.......q.....b.~.......~.......~..

                  File Icon

                  Icon Hash:24e28cc5858c8084

                  Static PE Info

                  General

                  Entrypoint:0x5218c1
                  Entrypoint Section:.NLDEE
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                  Time Stamp:0x674D7D76 [Mon Dec 2 09:27:18 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:6
                  OS Version Minor:0
                  File Version Major:6
                  File Version Minor:0
                  Subsystem Version Major:6
                  Subsystem Version Minor:0
                  Import Hash:fd6b522fd68eeeb14e5aef9ca64d0b85

                  Entrypoint Preview

                  Instruction
                  call 00007FD768EB1B01h
                  push ebx
                  popad
                  outsb
                  imul ebp, dword ptr [bp+65h], 69685320h
                  insb
                  outsb
                  and byte ptr [esi+32h], dh
                  xor al, 2Eh
                  xor byte ptr [esi], ch
                  xor byte ptr [eax], al
                  pushfd
                  push esp
                  std
                  pop word ptr [esp]
                  jmp 00007FD768EB1A17h
                  pop word ptr [esp]
                  push bp
                  mov ecx, 11337A34h
                  pop ebx
                  mov ch, F7h
                  jmp 00007FD768EB1B31h
                  and byte ptr [ebx-66h], ah
                  cmc
                  in al, 17h
                  neg ebx
                  call 00007FD768EB1AC8h
                  jns 00007FD768EB1B1Ah
                  cdq
                  sal ecx, cl
                  lodsd
                  pop eax
                  leave
                  pop ecx
                  cmp bl, cl
                  and al, ah
                  scasb
                  mov ecx, A20B8E9Fh
                  pop ebx
                  mov bp, word ptr [esp+03h]
                  mov bh, byte ptr [esp+06h]
                  add esp, 0Bh
                  xchg bh, bl
                  lea ecx, dword ptr [ebp-34h]
                  jmp 00007FD768EB1AB3h
                  lea ebp, dword ptr [edx-32h]
                  not bp
                  bsf ebx, eax
                  mov byte ptr [esp+0Dh], bl
                  rol cx, 000Ah
                  jmp 00007FD768EB1B15h
                  iretd
                  pop ebp
                  int 94h
                  retn 832Ch
                  in al, dx
                  adc eax, 2C8DE932h
                  das
                  shl bl, 00000006h
                  mov ebx, dword ptr [esp+10h]
                  xchg word ptr [esp+03h], bx
                  jmp 00007FD768EB1AB2h
                  lea ebx, dword ptr [ebp+ebp+00h]
                  bswap ecx
                  pop ebx
                  xchg byte ptr [esp+0Ch], bh
                  xchg byte ptr [esp+04h], ch
                  jmp 00007FD768EB1B50h
                  aas
                  push es
                  mov cl, B0h
                  mov bl, 8Fh
                  inc esp
                  and al, 09h
                  xchg word ptr [esp+02h], bx
                  lea ebx, dword ptr [00000000h+edi*4]

                  Rich Headers

                  Programming Language:
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [RES] VS2015 UPD3 build 24213
                  • [LNK] VS2015 UPD3.1 build 24215

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1230920x118.idata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x123f0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x11f0e60x38.NLDEE
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x11ee910x18.NLDEE
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x370000x3620079c194186c281f93880ebda46cb136feFalse0.49544872257505773data6.604002199264506IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rdata0x380000x150000x150008e4e4590d98592e23b7557317b6b9f6eFalse0.4557291666666667data5.354509808010684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .data0x4d0000x50000x1c005d42bf0c5f17814fbff963578d280cd8False0.18359375DOS executable (block device driver ght (c)3.1457387875637597IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .gfids0x520000x10000x60045e79a2bf91977e2f08fe9fff1122ee2False0.392578125data3.2112234147515863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .tls0x530000x10000x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x540000x130000x1240049978127ccff3f09c0b02514c7ad2393False0.07551637414383562data3.249131762489739IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .reloc0x670000x40000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .NLDEE0x6b0000xb80000xb8000bfb6be4841a29e55ff86d34b12d38b0aFalse0.8560857358186141data7.823713533239283IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .idata0x1230000x10000x400616745a10b72bf438d7dda59cb370437False0.388671875data3.552132181923483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .NLDEE0x1240000x10000x1000aecc1fccef0b6640ad544c6ffd37e6f6False0.881103515625data7.969492875572023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  AFX_DIALOG_LAYOUT0x662600x2dataChineseChina5.0
                  RT_ICON0x542e00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 0ChineseChina0.04677317637166281
                  RT_ICON0x5d7880x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0ChineseChina0.06589513462446858
                  RT_ICON0x619b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0ChineseChina0.09387966804979253
                  RT_ICON0x63f580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0ChineseChina0.1346153846153846
                  RT_ICON0x650000x988Device independent bitmap graphic, 24 x 48 x 32, image size 0ChineseChina0.19508196721311474
                  RT_ICON0x659880x468Device independent bitmap graphic, 16 x 32 x 32, image size 0ChineseChina0.27570921985815605
                  RT_DIALOG0x661c80x94dataChineseChina0.6959459459459459
                  RT_GROUP_ICON0x65df00x5adataChineseChina0.7777777777777778
                  RT_VERSION0x65e500x378dataChineseChina0.4166666666666667
                  RT_MANIFEST0x662680x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                  Imports

                  DLLImport
                  WS2_32.dllconnect
                  KERNEL32.dllReadFile
                  USER32.dllGetCursorPos
                  ADVAPI32.dllRegCreateKeyW
                  ole32.dllCoSetProxyBlanket
                  OLEAUT32.dllVariantClear
                  WINMM.dlltimeGetTime
                  IPHLPAPI.DLLGetAdaptersInfo
                  d3d11.dllD3D11CreateDevice
                  dxgi.dllCreateDXGIFactory
                  MSVCRT.dllstrncpy
                  PSAPI.DLLGetMappedFileNameW
                  SHELL32.dllSHGetFolderPathW

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  ChineseChina
                  EnglishUnited States

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-12-27T09:57:51.073805+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.549786103.199.100.978080TCP
                  2024-12-27T09:59:01.558575+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.549786103.199.100.978080TCP
                  2024-12-27T10:00:12.511514+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.549979103.199.100.978080TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Dec 27, 2024 09:57:50.566864967 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:50.686702967 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:50.686850071 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:51.073805094 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:51.193733931 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.235150099 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.239933968 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:52.359623909 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.359684944 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.359714985 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.776906967 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.776971102 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.777025938 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.777059078 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.777059078 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:52.777095079 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.777129889 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:52.823285103 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:52.987121105 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.987198114 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.987235069 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.987260103 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:52.987271070 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.987325907 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:52.995486021 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.995603085 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:52.995661020 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.004059076 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.004115105 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.004170895 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.012257099 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.057674885 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.197392941 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.197468996 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.197607040 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.201488018 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.201559067 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.201598883 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.207982063 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.208146095 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.208189011 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.216377974 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.216496944 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.216546059 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.224811077 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.224855900 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.224903107 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.233154058 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.233436108 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.233495951 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.241569996 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.241684914 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.241729021 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.250004053 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.250104904 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.250165939 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.258325100 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.307775974 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.408143044 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.408327103 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.408386946 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.411900997 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.412020922 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.412070036 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.419680119 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.419826984 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.419873953 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.426999092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.427120924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.427175999 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.434526920 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.434642076 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.434695959 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.442065001 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.442238092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.442289114 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.449645042 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.449831963 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.449879885 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.457247019 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.457384109 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.457432985 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.464692116 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.464843035 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.464891911 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.472268105 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.472481966 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.472528934 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.479733944 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.479832888 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.480163097 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.487329006 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.487432957 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.487487078 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.494827986 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.494997025 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.495043039 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.618606091 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.618695021 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.618757010 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.621783018 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.621943951 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.621994972 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.628151894 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.628288031 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.628341913 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.634516001 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.634643078 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.634696960 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.640896082 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.641073942 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.641122103 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.647248030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.647387028 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.647435904 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.653579950 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.653717041 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.653767109 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.659975052 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.660094976 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.660141945 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.666414976 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.666544914 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.666584015 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.672662973 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.672779083 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.672827005 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.679080009 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.679235935 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.679291964 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.685426950 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.685549974 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.685595036 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.691762924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.691899061 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.691956997 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.698184967 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.698333025 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.698384047 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.704550028 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.704684019 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.704735994 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.710983992 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.711136103 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.711184978 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.717333078 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.717474937 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.717520952 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.723726988 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.724334002 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.724387884 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.730129957 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.730571985 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.730618954 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.736450911 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.736865997 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.736923933 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.742711067 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.792052031 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.828506947 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.828537941 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.828588009 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.829756021 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.829870939 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.829916000 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.834554911 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.834700108 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.834747076 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.839385986 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.839541912 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.839587927 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.844222069 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.844351053 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.844399929 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.848820925 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.848928928 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.848975897 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.853327990 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.853455067 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.853504896 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.857707977 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.857825041 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.857882977 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.862071991 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.862226963 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.862278938 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.866354942 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.866400003 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.866451979 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.870533943 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.870632887 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.870676994 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.874701977 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.874855995 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.874907017 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.878892899 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.879009962 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.879055023 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.883025885 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.883079052 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.883124113 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.887173891 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.887326002 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.887366056 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.891354084 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.891460896 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.891503096 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.895498991 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.895627975 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.895673990 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.899684906 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.899898052 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.899945974 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.903831005 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.903964996 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.904011965 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.908046007 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.908250093 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.908298969 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.912159920 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.912276030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.912328959 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.916337013 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.916462898 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.916512012 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.920526981 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.920635939 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.920677900 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.924680948 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.924819946 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.924906969 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.928829908 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.928949118 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.928993940 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.933032036 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.933307886 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.933356047 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.937170029 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.937258005 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.937299013 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.941323042 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.941442966 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.941493034 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.945477009 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.945595026 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.945638895 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.949615955 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.949724913 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.949774027 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.953815937 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.953928947 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.953979969 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:53.957990885 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.958070993 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:53.958122969 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:54.038671017 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:54.038789034 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:54.038830042 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:54.040034056 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:54.040090084 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:54.040133953 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:54.042855024 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:54.042958021 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:54.043088913 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:54.045619011 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:54.088933945 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:55.074469090 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:57:55.194164991 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:57:55.194824934 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:58:00.315437078 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:58:00.435291052 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:00.435345888 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:00.435415030 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:00.435444117 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:01.096116066 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:01.096473932 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:58:01.220529079 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:11.479727983 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:58:11.600488901 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:12.033502102 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:12.073348045 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:58:12.099569082 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:58:12.219099998 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:29.026935101 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:58:29.146572113 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:29.580495119 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:29.635874033 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:58:29.713563919 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:58:29.833357096 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:48.636002064 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:58:48.755772114 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:49.192940950 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:58:49.307766914 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:58:49.319164991 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:58:49.438720942 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:01.558574915 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:01.678129911 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:02.090301037 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:02.183434010 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:07.495536089 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:07.495604992 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:07.615268946 CET808049797103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:07.615854025 CET497978080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:09.444919109 CET499588181192.168.2.5103.199.100.130
                  Dec 27, 2024 09:59:09.564560890 CET818149958103.199.100.130192.168.2.5
                  Dec 27, 2024 09:59:09.567049980 CET499588181192.168.2.5103.199.100.130
                  Dec 27, 2024 09:59:15.319792986 CET499588181192.168.2.5103.199.100.130
                  Dec 27, 2024 09:59:15.439464092 CET818149958103.199.100.130192.168.2.5
                  Dec 27, 2024 09:59:15.439481974 CET818149958103.199.100.130192.168.2.5
                  Dec 27, 2024 09:59:15.439496994 CET818149958103.199.100.130192.168.2.5
                  Dec 27, 2024 09:59:15.439574003 CET818149958103.199.100.130192.168.2.5
                  Dec 27, 2024 09:59:16.146440029 CET818149958103.199.100.130192.168.2.5
                  Dec 27, 2024 09:59:16.147120953 CET499588181192.168.2.5103.199.100.130
                  Dec 27, 2024 09:59:16.243935108 CET818149958103.199.100.130192.168.2.5
                  Dec 27, 2024 09:59:16.246049881 CET499588181192.168.2.5103.199.100.130
                  Dec 27, 2024 09:59:16.266782045 CET818149958103.199.100.130192.168.2.5
                  Dec 27, 2024 09:59:17.771935940 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:17.891565084 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:17.891721010 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:18.011236906 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:18.019135952 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:18.138627052 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:18.138735056 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:18.259027958 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:18.259150982 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:18.303376913 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:18.378725052 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:18.455390930 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:18.468219995 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:18.513411045 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:18.573461056 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:18.587796926 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:18.605784893 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:18.723608971 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:18.723762035 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:18.725291967 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:18.843317986 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:18.843437910 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:18.933737040 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:18.963083029 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:18.979695082 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:19.164442062 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:19.276664972 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:19.311073065 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:19.413297892 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:19.413419008 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:19.430593014 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:19.532975912 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:19.533020020 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:19.614264965 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:19.614362955 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:19.652625084 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:19.734499931 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:19.734550953 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:19.854110956 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:19.854131937 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:19.854181051 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:19.973784924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:19.973923922 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:20.055592060 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:20.055671930 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:20.094144106 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:20.175132990 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:20.175229073 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:20.294671059 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:20.295373917 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:20.295447111 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:20.455986977 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:20.456118107 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:20.496129990 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:20.542486906 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:20.575699091 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:20.575763941 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:20.695362091 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:20.699043036 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:20.703947067 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:20.859927893 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:20.862051964 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:20.905332088 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:20.906321049 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:20.981604099 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.025899887 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.025991917 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:21.109133005 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.145699978 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.182832003 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:21.255373955 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:21.319267035 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.323029995 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:21.374933958 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.379060030 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:21.442583084 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.442814112 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:21.498701096 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.561147928 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.561322927 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:21.562416077 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.680952072 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.681190014 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:21.762568951 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.762670994 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:21.800767899 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.882221937 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:21.968486071 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:22.002212048 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:22.088088036 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:22.088233948 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:22.207839966 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:22.207937956 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:22.245223045 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:22.327538013 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:22.327610016 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:22.413702965 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:22.413772106 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:22.447211027 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:22.533461094 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:22.614867926 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:22.682832956 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:22.857187986 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:22.979711056 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:23.058260918 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:23.182831049 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:23.680972099 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:23.800662994 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:23.800725937 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:23.920403004 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:23.920520067 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:24.040091038 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.040179968 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:24.159950018 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.160136938 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:24.212294102 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.279916048 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.283049107 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:24.402654886 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.402740002 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:24.422276020 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.564049959 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.567054987 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:24.632708073 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.635077000 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:24.686562061 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.686625004 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:24.754673958 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.806282997 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.806440115 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:24.842710018 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.888024092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.891025066 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:24.968053102 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:24.968122959 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:25.087810040 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:25.087892056 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:25.089047909 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:25.171325922 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:25.248127937 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:25.248379946 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:25.289736032 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:25.368084908 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:25.368141890 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:25.487819910 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:25.491103888 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:25.682847023 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:25.689373970 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:25.870364904 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:25.893754959 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:25.979739904 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:26.094996929 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:26.182849884 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:26.296612978 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:26.370338917 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:26.494052887 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:26.655988932 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:26.656049967 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:26.775631905 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:26.775685072 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:26.895194054 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:26.895242929 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:27.014919043 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.014981031 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:27.025396109 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.180027008 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.180108070 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:27.267230034 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.267333984 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:27.299701929 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.386971951 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.387022018 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:27.476310968 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.507081985 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.514323950 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:27.633950949 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.634051085 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:27.708256006 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.753695965 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.755158901 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:27.874718904 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.874857903 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:27.953249931 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:27.955136061 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:27.994385004 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:28.074826956 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:28.074897051 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:28.155160904 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:28.155230045 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:28.194536924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:28.274848938 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:28.274898052 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:28.355376005 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:28.359066010 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:28.394382954 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:28.394440889 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:28.478737116 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:28.514029026 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:28.556552887 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:28.591603041 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:28.757762909 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:28.757823944 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:28.936012030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:28.939125061 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:28.958957911 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:29.058794975 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:29.058887959 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:29.160326004 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:29.178543091 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:29.190736055 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:29.311427116 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:29.311486959 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:29.367522955 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:29.431442022 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:29.546034098 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:29.609357119 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:29.682929039 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:29.810456991 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:29.842066050 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:29.854969978 CET499588181192.168.2.5103.199.100.130
                  Dec 27, 2024 09:59:29.961620092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:29.963067055 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:29.974544048 CET818149958103.199.100.130192.168.2.5
                  Dec 27, 2024 09:59:30.011627913 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:30.015081882 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:30.083255053 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:30.087203026 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:30.134751081 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:30.207401991 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:30.211075068 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:30.330579996 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:30.330634117 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:30.373188972 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:30.374748945 CET818149958103.199.100.130192.168.2.5
                  Dec 27, 2024 09:59:30.428086996 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:30.450169086 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:30.459578991 CET499588181192.168.2.5103.199.100.130
                  Dec 27, 2024 09:59:30.472640038 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:30.579180002 CET818149958103.199.100.130192.168.2.5
                  Dec 27, 2024 09:59:30.583403111 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:30.592231035 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:30.643151045 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:30.762682915 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:30.780023098 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:30.793785095 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:30.857106924 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:30.939971924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:30.943120003 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:31.037267923 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.039140940 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:31.062726974 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.158812046 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.158884048 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:31.238356113 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.239093065 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:31.278472900 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.278539896 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:31.358577967 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.358649015 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:31.398087978 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.480293989 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.480453968 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:31.481388092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.647979021 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.648044109 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:31.679795027 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.767605066 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.767649889 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:31.880954027 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:31.881022930 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:31.887105942 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:32.002310038 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:32.004092932 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:32.082045078 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:32.123831987 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:32.127110958 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:32.246762991 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:32.247080088 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:32.325272083 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:32.327075958 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:32.623995066 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:32.624031067 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:32.624068022 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:32.727766991 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:32.743618011 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:32.743671894 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:32.863255024 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:32.867095947 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:32.986701965 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:32.986938000 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:33.035696030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.106483936 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.106628895 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:33.226356030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.227072001 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:33.279051065 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.283090115 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:33.348416090 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.351171017 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:33.473159075 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.475099087 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:33.480732918 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.611907959 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:33.639940977 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.643066883 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:33.672236919 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.672297001 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:33.762595892 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.792004108 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.792048931 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:33.876383066 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.911655903 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:33.963874102 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:34.083472967 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:34.083642006 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:34.086457968 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:34.118603945 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:34.118686914 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:34.238276005 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:34.238384962 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:34.319536924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:34.408019066 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:34.408076048 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:34.527673960 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:34.527725935 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:34.559323072 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:34.682895899 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:34.692009926 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:34.695111036 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:34.729130030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:34.814716101 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:34.814826012 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:34.930257082 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:34.930334091 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:34.934377909 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.050024986 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.051183939 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:35.137495995 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.139112949 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:35.172286034 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.172346115 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:35.258658886 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.258816004 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:35.292012930 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.373545885 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.378314018 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.450418949 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:35.511889935 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:35.579627037 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.583090067 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:35.631473064 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.702693939 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.703089952 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:35.823159933 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.823216915 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:35.825095892 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:35.885974884 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:36.000004053 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.000430107 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:36.024507046 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.073467970 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:36.121186018 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.121340036 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:36.225600958 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.227077961 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:36.240878105 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.347098112 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.351082087 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:36.427099943 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.431091070 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:36.470942974 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.470992088 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:36.550857067 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.551001072 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:36.590593100 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.669507980 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.669589996 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:36.671847105 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.789304018 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.811930895 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:36.870310068 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.931550980 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:36.960628986 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:37.080468893 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:37.099214077 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:37.113720894 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:37.182847023 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:37.260052919 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:37.263194084 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:37.281878948 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:37.281929970 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:37.383047104 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:37.402096987 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:37.402164936 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:37.483084917 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:37.483290911 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:37.522409916 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:37.602938890 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:37.681205988 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:37.684238911 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:37.776632071 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:37.800802946 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:37.800851107 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:37.885430098 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:37.885507107 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:37.920454979 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.005225897 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.005280018 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:38.086625099 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.086726904 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:38.126753092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.207094908 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.207144976 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:38.326729059 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.326857090 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:38.327943087 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.371953964 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:38.488106012 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.488220930 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:38.527992964 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.607916117 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.608184099 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:38.728373051 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.728468895 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:38.729604006 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.776616096 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:38.892062902 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:38.929111004 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:39.073484898 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:39.131114006 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:39.182862997 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:39.341114998 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:39.385973930 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:39.567702055 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:39.687268972 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:39.691096067 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:39.810625076 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:39.877762079 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:39.997395039 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:40.099107027 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:40.182863951 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:40.309243917 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:40.354336977 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:40.474076986 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:40.518765926 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:40.519526005 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:40.638356924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:40.638571978 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:40.758230925 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:40.758277893 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:40.877914906 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:40.877991915 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:40.885685921 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:41.040004015 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:41.040086031 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:41.095940113 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:41.159877062 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:41.160072088 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:41.279632092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:41.279867887 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:41.306031942 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:41.351432085 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:41.444109917 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:41.446460962 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:41.516659021 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:41.566060066 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:41.682863951 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:41.726710081 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:41.870409966 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:41.936765909 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:41.979741096 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:42.147049904 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:42.370377064 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:42.563800097 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:42.683443069 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:42.683500051 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:42.803052902 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:42.803103924 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:42.922611952 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:42.955353975 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:43.075082064 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:43.115863085 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:43.131378889 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:43.235605001 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:43.271099091 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:43.281033039 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:43.341495037 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:43.385994911 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:43.400490999 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:43.400546074 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:43.520047903 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:43.520275116 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:43.551479101 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:43.551532030 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:43.671097994 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:43.671322107 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:43.761631012 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:43.763102055 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:43.843956947 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:43.844145060 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:43.882740974 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:43.963763952 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:43.971760988 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:44.011053085 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:44.171943903 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:44.171997070 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:44.213242054 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:44.213314056 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:44.291662931 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:44.332916021 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:44.335113049 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:44.415095091 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:44.454817057 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:44.479799032 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:44.562494040 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:44.616211891 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:44.682400942 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:44.682706118 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:44.802371979 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:44.803108931 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:44.817373991 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:44.819159985 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:44.939055920 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:44.939248085 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:45.031768084 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.032085896 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:45.100044966 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.103101015 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:45.151712894 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.155109882 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:45.223083019 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.223128080 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:45.241944075 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.315946102 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.327383995 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:45.342717886 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.380547047 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:45.476490974 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.500420094 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.519253969 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:45.638855934 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.639102936 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:45.701601028 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.759442091 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.759535074 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:45.879230976 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.883104086 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:45.945239067 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:45.945307970 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:46.002651930 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.002701998 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:46.064894915 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.122498035 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.123107910 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:46.146327972 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.147140980 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:46.266797066 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.267111063 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:46.323915958 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.327284098 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:46.432053089 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.446827888 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.524882078 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.526422024 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:46.646153927 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.646323919 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:46.726013899 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.726135969 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:46.765887976 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.845717907 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.846026897 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:46.927341938 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.965675116 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:46.967125893 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:47.086812973 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:47.086882114 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:47.133615017 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:47.182914972 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:47.206505060 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:47.206552029 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:47.326083899 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:47.326152086 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:47.343605995 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:47.465569019 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:47.492007017 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:47.553184986 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:47.553677082 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:47.672895908 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:47.672986031 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:47.763847113 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:47.792547941 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:47.792593956 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:47.912293911 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:47.912343025 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:47.973968029 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.031899929 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.049561024 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:48.169570923 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.169621944 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:48.217169046 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.217278004 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:48.289182901 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.336829901 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.338774920 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:48.418443918 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.458849907 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.463390112 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:48.582953930 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.619678974 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.646934032 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:48.793795109 CET499588181192.168.2.5103.199.100.130
                  Dec 27, 2024 09:59:48.793840885 CET499588181192.168.2.5103.199.100.130
                  Dec 27, 2024 09:59:48.807993889 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.811117887 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:48.820837021 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.870589018 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:48.913578033 CET818149958103.199.100.130192.168.2.5
                  Dec 27, 2024 09:59:48.913727999 CET499588181192.168.2.5103.199.100.130
                  Dec 27, 2024 09:59:48.930687904 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:48.931060076 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:49.025698900 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.025768995 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:49.050652981 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.132280111 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.145374060 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.195741892 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:49.252021074 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.315366983 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.319119930 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:49.438816071 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.438890934 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:49.493314981 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.493385077 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:49.558597088 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.613013029 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.613097906 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:49.694511890 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.732630968 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.732686996 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:49.852402925 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.852500916 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:49.895720005 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.972368002 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:49.972438097 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:50.092087030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:50.092175007 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:50.096998930 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:50.167041063 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:50.256031036 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:50.257150888 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:50.293652058 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:50.376760006 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:50.386002064 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:50.496989012 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:50.573519945 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:50.707262039 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:50.713474035 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:50.730240107 CET499798080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:50.833180904 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:50.833260059 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:50.849838018 CET808049979103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:50.849939108 CET499798080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:50.917366982 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:50.917467117 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:50.952887058 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.037070036 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.037126064 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:51.156841040 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.157006025 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:51.245006084 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.245079041 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:51.276546001 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.276648998 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:51.364614010 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.364763975 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:51.396172047 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.478049040 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.478106976 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:51.484252930 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.597646952 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.597692013 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:51.685764074 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.685815096 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:51.717178106 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.805527925 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.807163954 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:51.918705940 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:51.918792009 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:51.926672935 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:52.038528919 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:52.039242983 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:52.128326893 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:52.131140947 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:52.158862114 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:52.250849009 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:52.250904083 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:52.370534897 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:52.370615959 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:52.392329931 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:52.532095909 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:52.532149076 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:52.571908951 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:52.571974039 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:52.651783943 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:52.696702003 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:52.773175001 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:52.816318989 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:52.827442884 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:52.974169970 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:53.182074070 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:53.182883978 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:53.385997057 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:53.392077923 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:53.559681892 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:53.739716053 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:53.859338999 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:53.859397888 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:53.978931904 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:53.979108095 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:54.098773003 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:54.098819017 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:54.218481064 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:54.271083117 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:54.291774035 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:54.411412001 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:54.415184021 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:54.481367111 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:54.534754038 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:54.543478012 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:54.663620949 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:54.667185068 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:54.691535950 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:54.795401096 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:54.828036070 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:54.831150055 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:54.901626110 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:54.903141975 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:54.950767040 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:55.022789001 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:55.067924023 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:55.111977100 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:55.182888985 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:55.187743902 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:55.270776033 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:55.322021008 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:55.370398998 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:55.390590906 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:55.532299995 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:55.682955027 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:55.742378950 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:55.870518923 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:55.952610970 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:56.182889938 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:56.724170923 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:56.843905926 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:57.255625963 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:57.342233896 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:57.520493031 CET499798080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:57.576215029 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:57.640382051 CET808049979103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:57.640400887 CET808049979103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:57.640405893 CET808049979103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:57.640409946 CET808049979103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:57.695830107 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:57.697247982 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:57.816864014 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:57.817154884 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:57.936902046 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:57.937304974 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:58.057022095 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.064336061 CET808049979103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.064901114 CET499798080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:58.088768959 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:58.112430096 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.182979107 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:58.184497118 CET808049979103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.208367109 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.208448887 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:58.322737932 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.323760033 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:58.327919006 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.443460941 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.445198059 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:58.532994986 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.535365105 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:58.564735889 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.644766092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.644844055 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:58.654920101 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.764429092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.764482975 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:58.766108990 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.886013031 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:58.928040028 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:58.928091049 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:58.965938091 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.047776937 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.047880888 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:59.167380095 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.167438030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.167473078 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:59.287087917 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.287178993 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:59.373724937 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.406903982 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.427911997 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:59.446990013 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:59.566700935 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.567151070 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:59.608211994 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.682977915 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:59.686829090 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.686892033 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:59.806828976 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.806925058 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 09:59:59.853262901 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.926481962 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 09:59:59.926559925 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:00.008033037 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.011157036 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:00.046200991 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.131159067 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.131336927 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:00.214656115 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.214718103 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:00.251079082 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.251133919 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:00.334292889 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.334405899 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:00.370871067 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.424550056 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.453959942 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.481293917 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:00.601506948 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.603153944 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:00.655389071 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.659182072 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:00.778830051 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.897212029 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:00.951421976 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:01.098429918 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:01.182888031 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:01.299813032 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:01.316287994 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:01.496458054 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:01.496530056 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:01.616858959 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:01.616928101 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:01.736522913 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:01.736809015 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:01.847671986 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:01.856283903 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:01.927485943 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:02.047132969 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.049179077 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:02.057704926 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.061209917 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:02.180780888 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.216124058 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:02.304717064 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.304838896 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:02.378995895 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.379148006 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:02.427603960 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.498836994 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.498898029 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:02.502487898 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.573522091 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:02.660092115 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.661732912 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:02.700186968 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.701317072 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:02.781251907 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.820949078 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.821821928 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:02.901281118 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.941562891 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:02.979801893 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:03.109246016 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:03.182908058 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:03.319232941 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:03.386025906 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:03.529557943 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:03.648340940 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:03.697127104 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:03.816692114 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:03.816744089 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:03.936260939 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:03.936306000 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:04.056178093 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:04.056315899 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:04.176449060 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:04.176495075 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:04.228655100 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:04.276638985 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:04.296094894 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:04.382653952 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:04.438785076 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:04.438901901 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:04.502729893 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:04.503211975 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:04.558451891 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:04.622800112 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:04.622992992 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:04.648834944 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:04.784037113 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:04.784248114 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:04.859106064 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:04.859293938 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:04.903804064 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:04.905268908 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:04.978900909 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.024842024 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.024976969 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:05.108067989 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.108333111 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:05.145880938 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.145950079 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:05.228521109 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.228655100 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:05.266176939 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.318274021 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.318389893 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:05.348659039 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.437988997 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.438040972 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:05.549974918 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.550031900 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:05.557549000 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.669677019 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.669728994 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:05.758966923 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.759016991 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:05.789401054 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.878539085 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.878599882 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:05.990955114 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:05.991030931 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:05.998110056 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.110603094 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.110735893 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:06.199608088 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.230312109 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.243257046 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:06.362879038 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.369411945 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:06.431688070 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.437179089 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:06.489017010 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.493191004 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:06.556859970 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.557995081 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:06.612890959 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.613619089 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:06.673255920 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.677131891 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:06.677517891 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.733208895 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.733474970 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:06.796725988 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.797740936 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:06.814142942 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.816911936 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:06.895992994 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.897269011 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:06.917326927 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.936521053 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:06.937784910 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:07.016984940 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.054343939 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.057276011 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:07.099946976 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.100111961 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:07.176985025 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.179932117 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:07.218333006 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.219599962 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.219702959 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:07.299561977 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.304231882 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:07.339286089 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.420984030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.421040058 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:07.423743963 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.540654898 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.540739059 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:07.630168915 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.630212069 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:07.660334110 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.749850035 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.862296104 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:07.979825020 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:08.105387926 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:08.182912111 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:08.306466103 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:08.370434046 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:08.652343988 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:08.771960974 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:08.772018909 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:08.891580105 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:08.891680956 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:09.011231899 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.011392117 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:09.131221056 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.131377935 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:09.183945894 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.184042931 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:09.253648043 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.303649902 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.303781986 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:09.394161940 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.394258976 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:09.423353910 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.513832092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.514262915 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:09.604465008 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.604521036 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:09.633831978 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.724057913 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.724144936 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:09.835438967 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.835504055 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:09.843662977 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.955092907 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:09.955164909 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:10.045146942 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:10.045238972 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:10.074759960 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:10.165150881 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:10.165220976 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:10.276160955 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:10.276247978 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:10.284732103 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:10.395802021 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:10.395875931 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:10.486202002 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:10.515422106 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:10.515465021 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:10.635116100 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:10.716893911 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:10.759030104 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:10.961393118 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:11.073553085 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:11.162659883 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:11.386053085 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:11.906722069 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:12.026493073 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:12.026561022 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:12.146208048 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:12.146284103 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:12.265857935 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:12.266000986 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:12.386703014 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:12.386774063 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:12.438126087 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:12.438194036 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:12.506833076 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:12.511513948 CET499798080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:12.511627913 CET499798080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:12.557867050 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:12.561747074 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:12.631326914 CET808049979103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:12.631397009 CET499798080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:12.648197889 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:12.681327105 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:12.681368113 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:12.800935030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:12.858525991 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:12.884387016 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.004070044 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.004125118 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.101300955 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.103207111 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.123893023 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.222877026 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.223202944 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.302344084 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.303282022 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.342808962 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.343281984 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.422925949 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.422985077 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.462863922 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.542543888 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.543179989 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.544049025 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.683002949 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.703999043 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.704061031 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.743983030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.744035959 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.823661089 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.823776960 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.943392992 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:13.943821907 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:13.945246935 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.104005098 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.104075909 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:14.144957066 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.223681927 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.223795891 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:14.344017029 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.345865011 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.349359035 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:14.449218035 CET499808181192.168.2.5103.199.100.130
                  Dec 27, 2024 10:00:14.512046099 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.512108088 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:14.545712948 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.568876982 CET818149980103.199.100.130192.168.2.5
                  Dec 27, 2024 10:00:14.569046974 CET499808181192.168.2.5103.199.100.130
                  Dec 27, 2024 10:00:14.620234966 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:14.631686926 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.631766081 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:14.752800941 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.752813101 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.753000021 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:14.872556925 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.960808039 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:14.984618902 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:15.104235888 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.104295969 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:15.205293894 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.205476046 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:15.223877907 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.224054098 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:15.325184107 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.343760014 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.351187944 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:15.406359911 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.407156944 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:15.470916033 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.526813030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.527082920 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:15.646821976 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.647069931 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:15.649350882 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.807979107 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.808475018 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:15.848129034 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.848365068 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:15.928571939 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.928816080 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:15.968095064 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:15.968293905 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:16.048561096 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.049086094 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:16.049182892 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.132128000 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.132433891 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:16.168669939 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.249958992 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.250129938 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:16.251940012 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.369803905 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.375253916 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:16.451114893 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.494987011 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.542001009 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:16.661681890 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.669898033 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:16.693243027 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.820513964 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:16.832046032 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.832091093 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:16.863095999 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.947134018 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:16.951687098 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:16.951879978 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.071439981 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.099479914 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.136291027 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.182936907 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.219409943 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.219487906 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.339232922 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.344135046 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.344173908 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.420680046 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.427187920 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.504112959 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.511168003 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.546972036 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.551166058 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.621886969 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.622081995 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.630728006 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.670969963 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.741843939 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.747123003 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.823039055 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.825190067 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.866822004 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.867218018 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.944845915 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:17.945154905 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:17.986872911 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:18.064851999 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:18.065063000 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:18.065073967 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:18.182930946 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:18.188131094 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:18.188276052 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:18.348017931 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:18.348077059 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:18.395519972 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:18.467827082 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:18.468044043 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:18.587687969 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:18.587868929 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:18.605510950 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:18.669229984 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:18.669289112 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:18.747970104 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:18.870455980 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:18.979892969 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:19.110152960 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:19.183026075 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:19.354120016 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:19.479784966 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:20.061464071 CET499808181192.168.2.5103.199.100.130
                  Dec 27, 2024 10:00:20.065129995 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:20.181771040 CET818149980103.199.100.130192.168.2.5
                  Dec 27, 2024 10:00:20.181792021 CET818149980103.199.100.130192.168.2.5
                  Dec 27, 2024 10:00:20.181829929 CET818149980103.199.100.130192.168.2.5
                  Dec 27, 2024 10:00:20.181845903 CET818149980103.199.100.130192.168.2.5
                  Dec 27, 2024 10:00:20.185252905 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:20.185551882 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:20.307018042 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:20.307184935 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:20.427506924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:20.427733898 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:20.547746897 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:20.547861099 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:20.596683979 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:20.667536020 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:20.667752981 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:20.787383080 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:20.795638084 CET818149980103.199.100.130192.168.2.5
                  Dec 27, 2024 10:00:20.796118021 CET499808181192.168.2.5103.199.100.130
                  Dec 27, 2024 10:00:20.806600094 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:20.870430946 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:20.915689945 CET818149980103.199.100.130192.168.2.5
                  Dec 27, 2024 10:00:20.927278042 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:21.016872883 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.017271996 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:21.088015079 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.136991024 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.137347937 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:21.226964951 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.229576111 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:21.256865978 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.257406950 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:21.349203110 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.349335909 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:21.376946926 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.458417892 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.458477974 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:21.468862057 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.578197002 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.578273058 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:21.670173883 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.670228004 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:21.697921038 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.789982080 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.790154934 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:21.899283886 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:21.899374962 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:21.909730911 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:22.019103050 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:22.019180059 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:22.111357927 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:22.138983965 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:22.276722908 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:22.359750032 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:22.436104059 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:22.555742979 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:22.555852890 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:22.601423979 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:22.601557970 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:22.675462008 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:22.675656080 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:22.757143021 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:22.757266998 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:22.795270920 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:22.876857042 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:22.876908064 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:22.967499971 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:22.967602968 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:22.996465921 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.087301970 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.087383986 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:23.198389053 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.198447943 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:23.206878901 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.318275928 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.329961061 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:23.420000076 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.420238018 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:23.449690104 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.449971914 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:23.539835930 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.540080070 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:23.569464922 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.651113033 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.651247978 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:23.659651995 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.770797968 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.771027088 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:23.861042976 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.861349106 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:23.890877962 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:23.981007099 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:24.092057943 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:24.185219049 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:24.333287001 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:24.479906082 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:24.534643888 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:24.673542976 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:24.837281942 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:24.956940889 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:24.956993103 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:25.076550007 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:25.076661110 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:25.196429968 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:25.196480989 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:25.316165924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:25.316220045 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:25.368792057 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:25.435734034 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:25.455302954 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:25.575189114 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:25.575253963 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:25.578814030 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:25.682943106 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:25.735995054 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:25.736042976 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:25.789242983 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:25.789488077 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:25.855592012 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:25.855746031 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:25.909070015 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:25.909157038 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:25.975343943 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:25.999155998 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:26.076031923 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:26.077312946 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:26.197086096 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:26.197268009 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:26.209347963 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:26.335196018 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:26.360059977 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:26.360255003 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:26.453289986 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:26.453391075 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:26.480201006 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:26.480283976 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:26.573772907 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:26.599925995 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:26.649519920 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:26.654351950 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:26.769319057 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:26.776698112 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:26.897233009 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:27.073582888 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:27.098413944 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:27.182951927 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:27.299592972 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:27.386085987 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:27.806988001 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:27.926701069 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:27.926780939 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:28.046386003 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:28.046447039 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:28.166573048 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:28.166688919 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:28.286299944 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:28.286395073 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:28.338459969 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:28.405916929 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:28.405971050 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:28.525615931 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:28.525686026 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:28.548453093 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:28.682938099 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:28.691991091 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:28.692064047 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:28.758934975 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:28.811534882 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:28.811620951 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:28.931272984 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:28.931467056 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:28.969738960 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.051136017 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.051304102 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:29.170892954 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.173834085 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:29.179054976 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.336041927 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.337253094 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:29.389365911 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.393465042 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:29.456868887 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.513147116 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.513238907 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:29.603511095 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.605540037 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:29.632848024 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.633933067 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:29.725136995 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.725682020 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:29.753535032 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.813898087 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.845482111 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:29.886079073 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:30.046926975 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:30.182944059 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:30.289278984 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:30.386060953 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:30.490550995 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:30.562087059 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:30.689066887 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:30.808716059 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:30.836040974 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:30.955713987 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:30.955775023 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:31.075396061 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:31.077801943 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:31.197417974 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:31.220473051 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:31.316834927 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:31.384303093 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:31.430630922 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:31.479837894 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:31.552032948 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:31.553800106 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:31.640638113 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:31.641525030 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:31.673433065 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:31.761063099 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:31.761662006 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:31.881226063 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:31.881375074 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:31.915512085 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:32.044274092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:32.045305014 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:32.157485008 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:32.157910109 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:32.164915085 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:32.277522087 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:32.281361103 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:32.358402967 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:32.361331940 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:32.401068926 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:32.401238918 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:32.480989933 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:32.520916939 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:32.601283073 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:32.682955027 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:32.802638054 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:32.886104107 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:33.003881931 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:33.073590994 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:33.781732082 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:33.901645899 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:33.901904106 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:34.021603107 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:34.023252964 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:34.143171072 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:34.143222094 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:34.262972116 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:34.273493052 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:34.313431978 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:34.386075020 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:34.393150091 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:34.393266916 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:34.512875080 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:34.512942076 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:34.523490906 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:34.641361952 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:34.676100969 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:34.733751059 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:34.820950031 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:34.940639973 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:34.941791058 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:34.944032907 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:35.104120016 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:35.105467081 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:35.154192924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:35.225085974 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:35.225260973 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:35.292519093 CET499808181192.168.2.5103.199.100.130
                  Dec 27, 2024 10:00:35.292519093 CET499808181192.168.2.5103.199.100.130
                  Dec 27, 2024 10:00:35.345091105 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:35.345288992 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:35.364382982 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:35.412312031 CET818149980103.199.100.130192.168.2.5
                  Dec 27, 2024 10:00:35.412559986 CET499808181192.168.2.5103.199.100.130
                  Dec 27, 2024 10:00:35.480731964 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:35.508083105 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:35.508200884 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:35.574620962 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:35.627870083 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:35.683048964 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:35.784842014 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:35.873284101 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:35.994986057 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:36.186204910 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:36.205295086 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:36.370454073 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:36.601993084 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:36.721637964 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:36.759850979 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:36.879533052 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:36.879581928 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:36.999253035 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.038701057 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.133696079 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.158312082 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.179071903 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.298652887 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.298717976 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.343544006 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.418417931 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.418560028 CET499818080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.418642044 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.539041042 CET808049981103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.539077044 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.539288044 CET499818080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.539288044 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.586896896 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.587229013 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.659502029 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.659713030 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.707597971 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.707835913 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.779934883 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.786747932 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.786823034 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.868536949 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.868659019 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.907038927 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.980791092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:37.981004953 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:37.988301039 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.100722075 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.101006031 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:38.184494019 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.184690952 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:38.220691919 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.220854044 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:38.304384947 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.304536104 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:38.340655088 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.422199011 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.422278881 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:38.424197912 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.542257071 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.555118084 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:38.625724077 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.625973940 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:38.675237894 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.675468922 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:38.745974064 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.746061087 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:38.795356989 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.865762949 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.865823030 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:38.869358063 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:38.979839087 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:39.067159891 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:39.067223072 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:39.268378973 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:39.268444061 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:39.469939947 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:39.470022917 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:39.671087980 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:39.671243906 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:39.872319937 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:39.872395039 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:40.076221943 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:40.076301098 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:40.286165953 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:40.286354065 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:40.496485949 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:40.496557951 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:40.706706047 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:40.707303047 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:40.916924000 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:40.917009115 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:41.028306007 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:41.031279087 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:41.148123980 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:41.148247957 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:41.151001930 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:41.229450941 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:41.268064976 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:41.268141031 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:41.352320910 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:41.387773037 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:41.422245979 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:41.541902065 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:41.589086056 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:41.682990074 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:41.833276987 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:41.882612944 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:42.002238989 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:42.034527063 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:42.182971001 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:42.423445940 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:42.483258009 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:42.940555096 CET499818080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:42.955240965 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:43.060336113 CET808049981103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.060376883 CET808049981103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.060421944 CET808049981103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.060452938 CET808049981103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.116138935 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.116307020 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:43.235949993 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.236152887 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:43.355751038 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.356193066 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:43.465694904 CET808049981103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.466073036 CET499818080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:43.475986958 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.476032972 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:43.486346006 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.585684061 CET808049981103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.636102915 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.636156082 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:43.696659088 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.696728945 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:43.755717993 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.755775928 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:43.816987991 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.875418901 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.906789064 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:43.979854107 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:44.117125988 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:44.148797035 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:44.312028885 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:44.312247038 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:44.327229023 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:44.370608091 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:44.432004929 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:44.435343981 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:44.554955006 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:44.555073977 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:44.675090075 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:44.675280094 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:44.680146933 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:44.835903883 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:44.835997105 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:44.890264988 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:44.890338898 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:44.955899000 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.009917974 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.021091938 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:45.100841045 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.100984097 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:45.140840054 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.220594883 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.238255024 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:45.310708046 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.358413935 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.359513998 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:45.479140043 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.479372025 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:45.520873070 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.523329020 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:45.599827051 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.603385925 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:45.643033981 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.723434925 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.723496914 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:45.730879068 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.870595932 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:45.884593964 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:45.887279987 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:45.941740990 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.006859064 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.007000923 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:46.126873016 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.127012968 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:46.151374102 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.288197041 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.288254023 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:46.361680984 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.361845016 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:46.407812119 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.481527090 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.484189987 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:46.571877003 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.603841066 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.603890896 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:46.609072924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.683043957 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:46.764060020 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.764132023 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:46.805058956 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.805113077 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:46.884140968 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:46.887289047 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:46.924735069 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.006784916 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.006921053 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.137978077 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:47.207581043 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.207659960 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:47.258373022 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.327267885 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.327383995 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:47.446966887 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.447056055 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:47.449048996 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.557987928 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:47.608454943 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.608622074 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:47.648206949 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.648277998 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:47.729391098 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.731350899 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:47.768027067 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.849958897 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.851103067 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.851202965 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:47.970854044 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:47.970918894 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:48.050700903 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.050787926 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:48.091378927 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.170687914 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.170821905 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:48.290415049 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.290504932 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:48.292654991 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.453579903 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.453668118 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:48.492016077 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.573622942 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:48.573637009 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.573760033 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:48.693259954 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.693319082 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.693562984 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:48.813286066 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.813358068 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:48.894120932 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.933020115 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:48.935281038 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:49.055063963 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.055445910 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:49.134318113 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.175045967 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.182988882 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:49.190047026 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:49.309824944 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.310045004 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:49.376307964 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.376559973 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:49.429606915 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.496176958 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.510188103 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:49.621211052 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.621273041 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:49.629826069 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.740855932 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.740911961 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:49.822805882 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.822891951 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:49.860552073 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.863331079 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:49.942222118 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.942632914 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.942709923 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:49.983062029 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:49.983287096 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:50.062536955 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.063265085 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:50.103135109 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.145185947 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.182955980 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.183068991 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:50.302885056 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.302979946 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:50.384501934 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.384556055 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:50.424138069 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.504297972 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.504422903 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:50.624224901 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.624283075 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:50.632965088 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.776735067 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:50.784074068 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.803015947 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:50.825645924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.900033951 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:50.922696114 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:50.922760963 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:51.026957035 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.027024031 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:51.042392015 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.147094965 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.147172928 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:51.228241920 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.228353024 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:51.266941071 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.355900049 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:51.468373060 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.470345974 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:51.475472927 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.590195894 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.590317965 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:51.676950932 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.677025080 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:51.710033894 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.796936989 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.797058105 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:51.911469936 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.916678905 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:51.964101076 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:52.011329889 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:52.118140936 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:52.118304014 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:52.130945921 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:52.238104105 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:52.248574972 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:52.332346916 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:52.368186951 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:52.368274927 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:52.488334894 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:52.488456011 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:52.569672108 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:52.608109951 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:52.608161926 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:52.689487934 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:52.689573050 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:52.727819920 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:52.809453964 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:52.809551001 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:52.929709911 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:52.929801941 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:53.092833042 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:53.092997074 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:53.131079912 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:53.212968111 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:53.223506927 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:53.343605042 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:53.373200893 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:53.406788111 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:53.545047998 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:53.545109034 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:53.708039045 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:53.708106995 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:53.727915049 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:53.827774048 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:53.830670118 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:53.929378033 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:53.931299925 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:53.950476885 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:53.951292992 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:54.051162958 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:54.051291943 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:54.070955992 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:54.139055967 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:54.139131069 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:54.170977116 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:54.171188116 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:54.258807898 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:54.290967941 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:54.372342110 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:54.439354897 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:54.456789970 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:54.576703072 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:54.617382050 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:54.677611113 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:54.778034925 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:54.850240946 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:54.932074070 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:54.988253117 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:55.103995085 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:55.104103088 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:55.223809004 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:55.223875999 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:55.667593002 CET499818080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:55.667627096 CET499818080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:55.682990074 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:55.788535118 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:55.788553953 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:55.788577080 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:55.788590908 CET808049981103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:55.788666964 CET499818080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:55.788917065 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:55.802496910 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:55.840048075 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:55.840198040 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:55.874707937 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:55.875020981 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:55.908399105 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:55.994659901 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:56.200627089 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:56.386110067 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:56.445451975 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:56.531199932 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:57.079816103 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:57.199822903 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:57.199884892 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:57.319531918 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:57.319673061 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:57.439483881 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:57.443351030 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:57.563030958 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:57.563472033 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:57.611474037 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:57.611620903 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:57.683049917 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:57.705708981 CET499828181192.168.2.5103.199.100.130
                  Dec 27, 2024 10:00:57.731282949 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:57.739825010 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:57.821640015 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:57.821806908 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:57.825367928 CET818149982103.199.100.130192.168.2.5
                  Dec 27, 2024 10:00:57.825444937 CET499828181192.168.2.5103.199.100.130
                  Dec 27, 2024 10:00:57.859479904 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:57.941430092 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:57.941529036 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:58.031810999 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.031915903 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:58.060971022 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.061033010 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.151657104 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.151777983 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:58.262135983 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.262248993 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:58.271281004 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.381973028 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.385415077 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:58.472790956 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.472953081 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:58.505079985 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.592720032 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.592812061 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:58.706455946 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.706545115 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:58.712683916 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.826242924 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.826304913 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:58.914139032 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.945985079 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:58.946163893 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:59.065845013 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:59.065942049 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:59.151396036 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:59.185689926 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:59.186353922 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:59.306058884 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:59.387116909 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:59.462757111 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:59.507412910 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:59.573620081 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:59.713510036 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:59.792037964 CET497868080192.168.2.5103.199.100.97
                  Dec 27, 2024 10:00:59.923685074 CET808049786103.199.100.97192.168.2.5
                  Dec 27, 2024 10:00:59.980014086 CET497868080192.168.2.5103.199.100.97

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  System Behavior

                  General

                  Target ID:0
                  Start time:03:56:52
                  Start date:27/12/2024
                  Path:C:\Users\user\Desktop\Wk6IMAhBNF.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\Wk6IMAhBNF.exe"
                  Imagebase:0x400000
                  File size:1'151'488 bytes
                  MD5 hash:FF61853AA5A10D3FE8FBE0D5470DB9D0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.1999206035.0000000000438000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2218149347.0000000002548000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4458721208.000000000277E000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:9.4%
                    Dynamic/Decrypted Code Coverage:52.7%
                    Signature Coverage:26.3%
                    Total number of Nodes:1903
                    Total number of Limit Nodes:112
                    execution_graph 69932 420341 69934 42034d _abort 69932->69934 69948 426c94 69934->69948 69935 420366 _abort 69936 420398 69935->69936 69953 407bf6 69935->69953 69957 4053de 69935->69957 69964 40559e 69935->69964 69971 40531c 69935->69971 69974 404bbd 69935->69974 69980 407875 69935->69980 69984 404bae 69935->69984 69990 4053f3 69935->69990 69997 405313 69935->69997 70001 40504a 69935->70001 70007 40788f 69935->70007 69950 426c9e __dosmaperr __Getctype _free 69948->69950 69949 426cff 69949->69935 69950->69949 70011 41dfd1 WSAStartup GetPEB _abort 69950->70011 69955 407da8 codecvt 69953->69955 69956 407c07 69953->69956 69955->69936 70012 408ef4 3 API calls 3 library calls 69956->70012 69959 4053ea __EH_prolog3_catch 69957->69959 69960 405667 69959->69960 70013 41b2ca 69959->70013 70016 405ab1 69959->70016 70024 405abe 69959->70024 69960->69936 69967 40547f 69964->69967 69965 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 69965->69967 69966 4055d4 timeGetTime 69966->69967 69967->69965 69968 405667 69967->69968 69969 405ab1 KiUserExceptionDispatcher 69967->69969 69970 405abe KiUserExceptionDispatcher 69967->69970 69968->69936 69969->69966 69970->69966 70042 406933 69971->70042 69975 404c48 69974->69975 69976 404f02 select 69975->69976 69978 4050be recv 69975->69978 69976->69975 69977 404f5d 69976->69977 69979 4050e4 _free 69978->69979 69981 407881 __ExceptionPtr::_CallCopyCtor __EH_prolog3_catch 69980->69981 69982 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 69981->69982 69983 407a56 69982->69983 69983->69936 69985 404bbd 69984->69985 69986 404f02 select 69985->69986 69988 4050be recv 69985->69988 69986->69985 69987 404f5d 69986->69987 69989 4050e4 _free 69988->69989 69993 40547f 69990->69993 69991 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 69991->69993 69992 405667 69992->69936 69993->69991 69993->69992 69995 405ab1 KiUserExceptionDispatcher 69993->69995 69996 405abe KiUserExceptionDispatcher 69993->69996 69994 4055d4 timeGetTime 69994->69993 69995->69994 69996->69994 69998 40531c 69997->69998 69999 406933 KiUserExceptionDispatcher 69998->69999 70000 40536b 69999->70000 70000->69936 70002 404ef8 70001->70002 70003 4050be recv 70002->70003 70004 404f02 select 70002->70004 70005 4050e4 _free 70003->70005 70004->70002 70006 404f5d 70004->70006 70008 407953 __ExceptionPtr::_CallCopyCtor 70007->70008 70009 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70008->70009 70010 407a56 70009->70010 70010->69936 70012->69956 70015 41b2ea 70013->70015 70014 41b31c KiUserExceptionDispatcher 70014->69959 70015->70014 70017 405abe 70016->70017 70031 40194b 70017->70031 70025 40194b KiUserExceptionDispatcher 70024->70025 70026 405afe 70025->70026 70027 4020ca KiUserExceptionDispatcher 70026->70027 70028 405b09 70027->70028 70029 405dbe KiUserExceptionDispatcher 70028->70029 70030 4055d4 timeGetTime 70029->70030 70030->69959 70032 401957 __EH_prolog3_catch 70031->70032 70033 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70032->70033 70034 4019b0 70033->70034 70035 4020ca 70034->70035 70036 4020d6 __EH_prolog3_catch 70035->70036 70037 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70036->70037 70038 40212f 70037->70038 70039 405dbe 70038->70039 70040 405dca __EH_prolog3_catch 70039->70040 70041 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70040->70041 70041->70040 70044 40693f __EH_prolog3_catch 70042->70044 70043 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70043->70044 70044->70043 70049 418b46 70050 418b52 ___FrameUnwindToState ___scrt_fastfail 70049->70050 70052 418bc1 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 70050->70052 70059 418ba1 ___scrt_uninitialize_crt ___FrameUnwindToState 70050->70059 70061 4253e0 70050->70061 70054 418c21 70052->70054 70077 420828 WSAStartup GetPEB pre_c_initialization _abort __Getcvt 70052->70077 70065 40e21f 70054->70065 70056 418c53 70056->70059 70079 420803 WSAStartup GetPEB _abort 70056->70079 70057 418c3f _abort 70057->70056 70078 420860 WSAStartup GetPEB _abort 70057->70078 70062 42542b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 70061->70062 70063 42540f 70061->70063 70062->70052 70063->70062 70080 401000 WSAStartup 70063->70080 70066 40e22e __EH_prolog3_catch_GS 70065->70066 70082 40dc56 70066->70082 70068 40e233 70069 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70068->70069 70070 40e252 70069->70070 70209 409c4e WSAStartup GetPEB ___scrt_initialize_default_local_stdio_options 70070->70209 70072 40e318 70074 40e34c 70072->70074 70210 409c4e WSAStartup GetPEB ___scrt_initialize_default_local_stdio_options 70072->70210 70211 409c4e WSAStartup GetPEB ___scrt_initialize_default_local_stdio_options 70074->70211 70076 40e373 70076->70057 70077->70054 70078->70056 70079->70059 70081 401045 pre_c_initialization __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 70080->70081 70081->70063 70083 40dc62 __EH_prolog3_GS 70082->70083 70212 410818 70083->70212 70085 40dc9c 70220 410a9e 70085->70220 70087 40dca2 70088 410818 KiUserExceptionDispatcher 70087->70088 70089 40dcfb 70088->70089 70090 410a9e 3 API calls 70089->70090 70091 40dd01 70090->70091 70227 226aeaf 70091->70227 70092 40dd36 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 70093 410818 KiUserExceptionDispatcher 70092->70093 70094 40dd7e 70093->70094 70095 410a9e 3 API calls 70094->70095 70096 40dd84 70095->70096 70231 40c700 70096->70231 70098 40dd8a 70099 410818 KiUserExceptionDispatcher 70098->70099 70100 40ddb0 70099->70100 70101 410a9e 3 API calls 70100->70101 70102 40ddb6 70101->70102 70235 40cb1e 70102->70235 70104 40ddbc 70105 410818 KiUserExceptionDispatcher 70104->70105 70106 40dde2 70105->70106 70107 410a9e 3 API calls 70106->70107 70108 40dde8 __aulldiv 70107->70108 70109 410818 KiUserExceptionDispatcher 70108->70109 70110 40de2c 70109->70110 70111 410a9e 3 API calls 70110->70111 70112 40de32 70111->70112 70113 40de55 70112->70113 70114 40de77 70112->70114 70115 410818 KiUserExceptionDispatcher 70113->70115 70116 410818 KiUserExceptionDispatcher 70114->70116 70117 40de6b 70115->70117 70118 40de8d 70116->70118 70119 410a9e 3 API calls 70117->70119 70120 410a9e 3 API calls 70118->70120 70121 40de71 70119->70121 70120->70121 70255 40ccb4 70121->70255 70123 40de9c 70124 410818 KiUserExceptionDispatcher 70123->70124 70125 40dec1 70124->70125 70126 410a9e 3 API calls 70125->70126 70127 40dec7 70126->70127 70261 40c523 70127->70261 70129 40decd 70130 410818 KiUserExceptionDispatcher 70129->70130 70131 40def2 70130->70131 70132 410a9e 3 API calls 70131->70132 70133 40def8 70132->70133 70285 40cdbf D3D11CreateDevice 70133->70285 70135 40defe 70136 410818 KiUserExceptionDispatcher 70135->70136 70137 40df23 70136->70137 70138 410a9e 3 API calls 70137->70138 70139 40df29 70138->70139 70296 40cef5 70139->70296 70141 40df2f 70142 410818 KiUserExceptionDispatcher 70141->70142 70143 40df54 70142->70143 70144 410a9e 3 API calls 70143->70144 70145 40df5a 70144->70145 70319 40d249 70145->70319 70147 40df60 70148 410818 KiUserExceptionDispatcher 70147->70148 70149 40df85 70148->70149 70150 410a9e 3 API calls 70149->70150 70151 40df8b 70150->70151 70367 40d4b8 70151->70367 70153 40df91 70154 410818 KiUserExceptionDispatcher 70153->70154 70155 40dfb6 70154->70155 70156 410a9e 3 API calls 70155->70156 70157 40dfbc 70156->70157 70391 40d734 70157->70391 70159 40dfc2 70160 410818 KiUserExceptionDispatcher 70159->70160 70161 40dfe7 70160->70161 70162 410a9e 3 API calls 70161->70162 70163 40dfed 70162->70163 70396 40ef6c 70163->70396 70167 40e007 70168 410818 KiUserExceptionDispatcher 70167->70168 70169 40e03f 70168->70169 70170 410a9e 3 API calls 70169->70170 70171 40e045 70170->70171 70411 40bb46 70171->70411 70173 40e04b 70174 410818 KiUserExceptionDispatcher 70173->70174 70175 40e071 70174->70175 70176 410a9e 3 API calls 70175->70176 70177 40e077 70176->70177 70421 40d868 70177->70421 70179 40e07d 70180 410818 KiUserExceptionDispatcher 70179->70180 70181 40e0a3 70180->70181 70182 410a9e 3 API calls 70181->70182 70183 40e0a9 70182->70183 70184 410818 KiUserExceptionDispatcher 70183->70184 70185 40e0e6 70184->70185 70186 410a9e 3 API calls 70185->70186 70187 40e0ec 70186->70187 70188 410818 KiUserExceptionDispatcher 70187->70188 70189 40e118 70188->70189 70190 410a9e 3 API calls 70189->70190 70191 40e11e 70190->70191 70449 40db3e 70191->70449 70193 40e124 70194 410818 KiUserExceptionDispatcher 70193->70194 70195 40e14a 70194->70195 70196 410a9e 3 API calls 70195->70196 70197 40e150 GetCursorPos 70196->70197 70198 40e176 GetCursorPos 70197->70198 70199 40e184 70198->70199 70200 410818 KiUserExceptionDispatcher 70199->70200 70201 40e1ae 70200->70201 70202 410a9e 3 API calls 70201->70202 70203 40e1b4 70202->70203 70204 410818 KiUserExceptionDispatcher 70203->70204 70205 40e20a 70204->70205 70206 410a9e 3 API calls 70205->70206 70207 40e210 std::system_error::system_error 70206->70207 70207->70068 70209->70072 70210->70074 70211->70076 70214 410824 std::system_error::system_error __EH_prolog3_catch 70212->70214 70459 40f7ca 70214->70459 70215 4109b5 70463 40f76c 70215->70463 70218 4109bd codecvt 70218->70085 70219 410885 70219->70215 70467 40ff57 KiUserExceptionDispatcher 70219->70467 70478 4103f0 70220->70478 70222 410ab7 70482 410fb6 70222->70482 70224 410ac2 70225 410337 KiUserExceptionDispatcher 70224->70225 70226 410ac9 70225->70226 70226->70087 70228 226aec2 70227->70228 70229 227a689 GetPEB 70228->70229 70230 226aedc 70228->70230 70229->70230 70230->70092 70501 226fd21 70231->70501 70507 226f9df 70231->70507 70232 40c753 _memcpy_s __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 70232->70098 70236 40cb2a __EH_prolog3_GS 70235->70236 70237 40ef6c KiUserExceptionDispatcher 70236->70237 70238 40cb51 70237->70238 70532 40f1f6 70238->70532 70242 40cb6f 70243 40ef6c KiUserExceptionDispatcher 70242->70243 70254 40cc49 std::system_error::system_error 70242->70254 70244 40cb99 70243->70244 70245 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70244->70245 70246 40cbac 70245->70246 70247 40c806 12 API calls 70246->70247 70248 40cbb7 std::system_error::system_error 70247->70248 70249 40ef6c KiUserExceptionDispatcher 70248->70249 70248->70254 70250 40cc2b 70249->70250 70251 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70250->70251 70252 40cc3e 70251->70252 70253 40c806 12 API calls 70252->70253 70253->70254 70254->70104 70256 40ccc3 __EH_prolog3_GS __ExceptionPtr::__ExceptionPtr 70255->70256 70257 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70256->70257 70260 40cd12 std::system_error::system_error 70256->70260 70258 40ccf9 std::system_error::system_error 70257->70258 70259 40f0d5 std::system_error::system_error KiUserExceptionDispatcher 70258->70259 70259->70260 70260->70123 70665 418cfc 70261->70665 70263 40c52f CoInitializeEx 70264 40c544 CoInitializeSecurity 70263->70264 70271 40c5c9 codecvt 70263->70271 70265 40c55c CoCreateInstance 70264->70265 70264->70271 70266 40c580 70265->70266 70265->70271 70267 40c466 2 API calls 70266->70267 70268 40c590 70267->70268 70269 40c5c5 70268->70269 70666 40c4db SysFreeString codecvt 70268->70666 70270 40c5d7 CoSetProxyBlanket 70269->70270 70269->70271 70270->70271 70273 40c5f9 70270->70273 70271->70129 70274 40c40c 2 API calls 70273->70274 70275 40c609 70274->70275 70276 40c40c 2 API calls 70275->70276 70278 40c61f 70276->70278 70277 40c65d 70282 40c670 70277->70282 70668 40c4db SysFreeString codecvt 70277->70668 70278->70277 70667 40c4db SysFreeString codecvt 70278->70667 70281 40c6cf CoUninitialize 70281->70271 70282->70271 70282->70281 70284 40c6b3 VariantClear 70282->70284 70284->70282 70286 40ce27 CreateDXGIFactory 70285->70286 70287 40ce0a 70285->70287 70288 40ce3f 70286->70288 70295 40ce1f __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 70286->70295 70289 410818 KiUserExceptionDispatcher 70287->70289 70290 410818 KiUserExceptionDispatcher 70288->70290 70291 40ce19 70289->70291 70292 40ce4e 70290->70292 70293 410a9e 3 API calls 70291->70293 70294 410a9e 3 API calls 70292->70294 70293->70295 70294->70295 70295->70135 70297 40cf04 __EH_prolog3_GS 70296->70297 70298 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70297->70298 70299 40cf14 70298->70299 70300 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70299->70300 70301 40cf29 70300->70301 70302 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70301->70302 70303 40cf3d 70302->70303 70304 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70303->70304 70305 40cf4e 70304->70305 70306 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70305->70306 70307 40cf5f 70306->70307 70669 411365 70307->70669 70309 40cf9a 70310 40cfb3 GetAdaptersInfo 70309->70310 70311 40cfda 70310->70311 70318 40cff8 std::system_error::system_error 70310->70318 70312 40cfe5 GetAdaptersInfo 70311->70312 70312->70318 70313 40d1b3 std::system_error::system_error 70313->70141 70318->70313 70677 40f225 KiUserExceptionDispatcher std::system_error::system_error 70318->70677 70678 40fc16 KiUserExceptionDispatcher std::system_error::system_error ___BuildCatchObject 70318->70678 70679 40efcb KiUserExceptionDispatcher std::system_error::system_error 70318->70679 70680 40aae7 3 API calls 3 library calls 70318->70680 70320 40d258 __EH_prolog3_GS 70319->70320 70321 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70320->70321 70322 40d286 70321->70322 70323 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70322->70323 70324 40d29b 70323->70324 70325 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70324->70325 70326 40d2af 70325->70326 70327 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70326->70327 70328 40d2c3 70327->70328 70329 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70328->70329 70330 40d2d7 70329->70330 70331 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70330->70331 70332 40d2eb 70331->70332 70333 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70332->70333 70334 40d2ff 70333->70334 70335 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70334->70335 70336 40d313 70335->70336 70337 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70336->70337 70338 40d327 70337->70338 70339 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70338->70339 70340 40d33b 70339->70340 70341 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70340->70341 70342 40d34f 70341->70342 70343 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70342->70343 70344 40d363 70343->70344 70345 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70344->70345 70346 40d377 70345->70346 70347 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70346->70347 70348 40d38b 70347->70348 70349 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70348->70349 70350 40d39f 70349->70350 70351 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70350->70351 70352 40d3b3 70351->70352 70353 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70352->70353 70354 40d3c7 70353->70354 70355 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70354->70355 70356 40d3db 70355->70356 70357 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70356->70357 70358 40d3ef 70357->70358 70359 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70358->70359 70360 40d403 70359->70360 70361 411365 KiUserExceptionDispatcher 70360->70361 70362 40d441 70361->70362 70363 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70362->70363 70365 40d46c 70363->70365 70366 40d490 std::system_error::system_error 70365->70366 70684 40d1cf WSAStartup GetPEB 70365->70684 70366->70147 70368 40d4c7 __EH_prolog3_GS 70367->70368 70369 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70368->70369 70370 40d4ee 70369->70370 70371 40d4f8 std::system_error::system_error 70370->70371 70372 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70370->70372 70371->70153 70373 40d50f 70372->70373 70374 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70373->70374 70375 40d523 70374->70375 70376 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70375->70376 70377 40d537 70376->70377 70378 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70377->70378 70379 40d54b 70378->70379 70380 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70379->70380 70381 40d55f 70380->70381 70382 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70381->70382 70383 40d570 70382->70383 70384 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70383->70384 70385 40d581 70384->70385 70386 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70385->70386 70387 40d592 70386->70387 70388 411365 KiUserExceptionDispatcher 70387->70388 70389 40d5ca 70388->70389 70389->70371 70685 40d1cf WSAStartup GetPEB 70389->70685 70686 40d629 70391->70686 70393 40d752 70394 40d772 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 70393->70394 70696 420a8b WSAStartup GetPEB _memcpy_s std::_Locinfo::_Locinfo_ctor _free 70393->70696 70394->70159 70397 40ef8a char_traits 70396->70397 70697 40f950 70397->70697 70399 40dffb 70400 40d79e 70399->70400 70401 40d7ad __EH_prolog3_GS 70400->70401 70402 40d7c8 70401->70402 70403 40d7db 70401->70403 70702 410ad0 KiUserExceptionDispatcher char_traits __EH_prolog3_catch codecvt 70402->70702 70405 40ef6c KiUserExceptionDispatcher 70403->70405 70408 40d7ed 70405->70408 70406 40d7cd 70703 410c9b WSAStartup KiUserExceptionDispatcher GetPEB 70406->70703 70410 40d7d3 std::system_error::system_error 70408->70410 70704 40ee3e KiUserExceptionDispatcher 70408->70704 70410->70167 70412 40bb52 __EH_prolog3_catch_GS 70411->70412 70413 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70412->70413 70414 40bb72 70413->70414 70705 40baa0 70414->70705 70418 40bb90 70712 411257 KiUserExceptionDispatcher __EH_prolog3 codecvt 70418->70712 70420 40bbbc std::system_error::system_error 70420->70173 70422 40d877 __EH_prolog3_GS 70421->70422 70423 40ef6c KiUserExceptionDispatcher 70422->70423 70424 40d887 70423->70424 70425 40ef6c KiUserExceptionDispatcher 70424->70425 70426 40d89b 70425->70426 70427 40ef6c KiUserExceptionDispatcher 70426->70427 70428 40d8b1 70427->70428 70429 40ef6c KiUserExceptionDispatcher 70428->70429 70430 40d8c5 70429->70430 70431 40ef6c KiUserExceptionDispatcher 70430->70431 70432 40d8d9 70431->70432 70433 40ef6c KiUserExceptionDispatcher 70432->70433 70434 40d8ed 70433->70434 70435 40ef6c KiUserExceptionDispatcher 70434->70435 70436 40d901 70435->70436 70437 40ef6c KiUserExceptionDispatcher 70436->70437 70438 40d915 70437->70438 70439 40ef6c KiUserExceptionDispatcher 70438->70439 70440 40d926 70439->70440 70441 40ef6c KiUserExceptionDispatcher 70440->70441 70442 40d937 70441->70442 70443 40ef6c KiUserExceptionDispatcher 70442->70443 70444 40d948 70443->70444 70445 40ef6c KiUserExceptionDispatcher 70444->70445 70446 40d959 70445->70446 70713 4112d6 70446->70713 70448 40d996 std::system_error::system_error 70448->70179 70453 40db4a __EH_prolog3_GS 70449->70453 70450 410818 KiUserExceptionDispatcher 70451 40db91 70450->70451 70452 410a9e 3 API calls 70451->70452 70455 40db97 std::system_error::system_error 70452->70455 70454 40db7b 70453->70454 70457 40dba4 std::system_error::system_error 70453->70457 70454->70450 70455->70193 70456 40f1f6 KiUserExceptionDispatcher std::system_error::system_error 70456->70457 70457->70455 70457->70456 70458 40daa8 WSAStartup KiUserExceptionDispatcher GetPEB 70457->70458 70458->70457 70460 40f7d6 __EH_prolog3 70459->70460 70461 40f813 codecvt 70460->70461 70468 410337 70460->70468 70461->70219 70464 40f797 70463->70464 70465 40f7a2 70464->70465 70477 41039c KiUserExceptionDispatcher __EH_prolog3_catch codecvt 70464->70477 70465->70218 70467->70215 70469 410343 __EH_prolog3 70468->70469 70470 410394 codecvt 70469->70470 70471 40f7ca KiUserExceptionDispatcher 70469->70471 70470->70461 70474 41035a 70471->70474 70472 41038c 70473 40f76c KiUserExceptionDispatcher 70472->70473 70473->70470 70474->70472 70476 40ff57 KiUserExceptionDispatcher 70474->70476 70476->70472 70477->70465 70479 4103fc __EH_prolog3 70478->70479 70490 410723 70479->70490 70481 41040f std::ios_base::_Ios_base_dtor codecvt 70481->70222 70483 410fc2 __EH_prolog3_catch 70482->70483 70484 40f7ca KiUserExceptionDispatcher 70483->70484 70485 410fd4 70484->70485 70486 41104a 70485->70486 70500 40ff57 KiUserExceptionDispatcher 70485->70500 70488 40f76c KiUserExceptionDispatcher 70486->70488 70489 411052 codecvt 70488->70489 70489->70224 70491 41072f __EH_prolog3 std::_Lockit::_Lockit int std::locale::_Getfacet 70490->70491 70493 410763 std::_Lockit::~_Lockit codecvt 70491->70493 70498 40a12f 3 API calls 5 library calls 70491->70498 70493->70481 70494 410773 70495 410799 70494->70495 70496 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70494->70496 70499 415b81 KiUserExceptionDispatcher new 70495->70499 70496->70495 70498->70494 70499->70493 70500->70486 70502 226fd29 70501->70502 70504 226fd54 70502->70504 70515 24029e5 LdrInitializeThunk 70502->70515 70503 226fd84 70503->70232 70504->70503 70516 2402925 LdrInitializeThunk 70504->70516 70508 226f9f2 70507->70508 70517 226d06b 70508->70517 70511 226fd21 2 API calls 70513 226fd1c 70511->70513 70512 226faaa 70512->70511 70513->70232 70514 226faa1 70514->70512 70522 226c87f 70514->70522 70515->70504 70516->70503 70519 226d077 70517->70519 70518 226d0a1 70518->70514 70519->70518 70528 24028a5 LdrInitializeThunk 70519->70528 70529 2402aa5 LdrInitializeThunk 70519->70529 70523 226c8b1 70522->70523 70524 226c932 70522->70524 70523->70524 70530 2402be5 LdrInitializeThunk 70523->70530 70524->70512 70525 226c908 70525->70524 70531 24029c5 LdrInitializeThunk 70525->70531 70528->70519 70529->70519 70530->70525 70531->70524 70533 40f212 std::system_error::system_error 70532->70533 70568 40f05c 70533->70568 70535 40cb64 70536 40c806 70535->70536 70585 418d30 70536->70585 70538 40c815 CoInitialize CoCreateInstance 70539 40c8da CoUninitialize 70538->70539 70540 40c84f 70538->70540 70544 40caf2 std::system_error::system_error 70539->70544 70586 40c466 70540->70586 70542 40c865 70543 40c8a4 70542->70543 70615 40c4db SysFreeString codecvt 70542->70615 70546 40c8a8 CoSetProxyBlanket 70543->70546 70547 40c8c2 70543->70547 70544->70242 70546->70547 70548 40c8e7 70546->70548 70547->70539 70592 410a2b 70548->70592 70550 40c901 70600 40c40c 70550->70600 70552 40c926 70553 40c40c 2 API calls 70552->70553 70555 40c93c 70553->70555 70554 40c983 70557 40c99c 70554->70557 70617 40c4db SysFreeString codecvt 70554->70617 70555->70554 70616 40c4db SysFreeString codecvt 70555->70616 70558 40c9a0 CoUninitialize 70557->70558 70567 40c9c5 std::system_error::system_error std::exception::exception 70557->70567 70558->70544 70560 40cac5 CoUninitialize 70560->70544 70562 40c9f5 VariantInit 70562->70567 70564 40ca9e VariantClear 70564->70567 70566 40f05c std::system_error::system_error KiUserExceptionDispatcher 70566->70567 70567->70560 70567->70562 70567->70564 70567->70566 70606 40ff76 70567->70606 70569 40f06c std::system_error::system_error 70568->70569 70570 40f070 70569->70570 70571 40f08c 70569->70571 70575 40fcdd KiUserExceptionDispatcher std::system_error::system_error __ExceptionPtr::_CallCopyCtor 70570->70575 70576 40fac9 70571->70576 70574 40f08a __ExceptionPtr::_CallCopyCtor 70574->70535 70575->70574 70577 40fad5 70576->70577 70578 40fb1e 70576->70578 70582 40fae3 std::system_error::system_error 70577->70582 70583 410200 KiUserExceptionDispatcher std::system_error::system_error __ExceptionPtr::_CallCopyCtor __EH_prolog3_catch codecvt 70577->70583 70584 414b3c KiUserExceptionDispatcher std::invalid_argument::invalid_argument __CxxThrowException@8 70578->70584 70582->70574 70583->70582 70585->70538 70587 40c472 __EH_prolog3 70586->70587 70618 418761 70587->70618 70590 40c489 SysAllocString 70591 40c4a3 _com_issue_error codecvt 70590->70591 70591->70542 70593 410a37 std::system_error::system_error __EH_prolog3 70592->70593 70625 40effa 70593->70625 70595 410a7a std::system_error::system_error 70629 40f0d5 70595->70629 70597 410a8a 70640 40fdd3 70597->70640 70599 410a96 codecvt 70599->70550 70601 40c418 __EH_prolog3 70600->70601 70602 418761 new KiUserExceptionDispatcher 70601->70602 70603 40c421 70602->70603 70605 40c442 _com_issue_error codecvt 70603->70605 70657 419540 SysAllocString __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z _com_issue_error __alloca_probe_16 __ExceptionPtr::__ExceptionPtr 70603->70657 70605->70552 70607 40ff84 70606->70607 70608 40ff8c 70606->70608 70607->70567 70658 410ccd 70608->70658 70612 41000d 70612->70607 70663 409c93 KiUserExceptionDispatcher std::exception::exception 70612->70663 70613 410048 70614 410ccd KiUserExceptionDispatcher 70614->70612 70615->70543 70616->70554 70617->70557 70620 418766 new __ExceptionPtr::__ExceptionPtr 70618->70620 70619 40c47b 70619->70590 70619->70591 70620->70619 70623 41936b KiUserExceptionDispatcher __CxxThrowException@8 new 70620->70623 70624 41934e KiUserExceptionDispatcher __CxxThrowException@8 __ExceptionPtr::__ExceptionPtr 70620->70624 70623->70620 70626 40f018 70625->70626 70627 40f00b 70625->70627 70626->70595 70627->70626 70628 40fac9 std::system_error::system_error KiUserExceptionDispatcher 70627->70628 70628->70626 70630 40f0e5 std::system_error::system_error 70629->70630 70631 40f105 70630->70631 70632 40f0e9 70630->70632 70633 40f117 70631->70633 70634 40f16d 70631->70634 70638 40fdd3 std::system_error::system_error KiUserExceptionDispatcher 70632->70638 70636 40fac9 std::system_error::system_error KiUserExceptionDispatcher 70633->70636 70639 40f103 __ExceptionPtr::_CallCopyCtor 70633->70639 70649 414b3c KiUserExceptionDispatcher std::invalid_argument::invalid_argument __CxxThrowException@8 70634->70649 70636->70639 70638->70639 70639->70597 70650 40fa1f 70640->70650 70643 40fe04 70646 40fac9 std::system_error::system_error KiUserExceptionDispatcher 70643->70646 70648 40fe15 __ExceptionPtr::_CallCopyCtor 70643->70648 70644 40fe67 70655 414b3c KiUserExceptionDispatcher std::invalid_argument::invalid_argument __CxxThrowException@8 70644->70655 70646->70648 70648->70599 70651 40fa2a 70650->70651 70652 40fa2e 70650->70652 70651->70643 70651->70644 70656 414b5c KiUserExceptionDispatcher std::invalid_argument::invalid_argument __CxxThrowException@8 70652->70656 70657->70605 70659 410cd8 __onexit 70658->70659 70662 40ffbc 70659->70662 70664 4023ea KiUserExceptionDispatcher __CxxThrowException@8 70659->70664 70662->70612 70662->70614 70663->70613 70665->70263 70666->70269 70667->70277 70668->70282 70671 411371 __EH_prolog3_catch 70669->70671 70670 4113a4 70682 40242c KiUserExceptionDispatcher new 70670->70682 70671->70670 70676 4113d4 codecvt 70671->70676 70681 414b3c KiUserExceptionDispatcher std::invalid_argument::invalid_argument __CxxThrowException@8 70671->70681 70674 4113ad 70683 413d9b KiUserExceptionDispatcher std::system_error::system_error __EH_prolog3_catch codecvt 70674->70683 70676->70309 70677->70318 70678->70318 70679->70318 70680->70318 70682->70674 70683->70676 70684->70365 70685->70389 70687 40d653 70686->70687 70694 226fd21 2 API calls 70687->70694 70695 226f9df 6 API calls 70687->70695 70688 40ef6c KiUserExceptionDispatcher 70693 40d6f3 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 70688->70693 70689 40d6e0 70689->70688 70690 40d663 70690->70689 70691 40d705 70690->70691 70692 40ef6c KiUserExceptionDispatcher 70691->70692 70692->70693 70693->70393 70694->70690 70695->70690 70696->70394 70698 40f960 70697->70698 70700 40f980 70698->70700 70701 41016b KiUserExceptionDispatcher std::system_error::system_error 70698->70701 70700->70399 70701->70700 70702->70406 70703->70410 70704->70410 70706 40baaf __EH_prolog3_catch_GS 70705->70706 70707 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70706->70707 70708 40bb0a 70707->70708 70709 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 70708->70709 70710 40bb34 70709->70710 70711 40ed81 3 API calls 4 library calls 70710->70711 70711->70418 70712->70420 70714 4112e2 __EH_prolog3_catch 70713->70714 70715 411345 codecvt 70714->70715 70716 411315 70714->70716 70721 414b3c KiUserExceptionDispatcher std::invalid_argument::invalid_argument __CxxThrowException@8 70714->70721 70715->70448 70722 40242c KiUserExceptionDispatcher new 70716->70722 70719 41131e 70723 413d34 KiUserExceptionDispatcher __EH_prolog3_catch codecvt 70719->70723 70722->70719 70723->70715 70724 23d6d75 70727 23d6def 70724->70727 70725 23d6e39 70726 23d6ed6 GetPEB 70729 23d6ee5 70726->70729 70727->70725 70727->70726 70727->70729 70728 23d8774 70757 23d6f13 70728->70757 70790 241781d 70728->70790 70729->70728 70740 23d6f92 70729->70740 70729->70757 70731 23d70d8 70741 23d7904 GetPEB 70731->70741 70731->70757 70760 23d7964 70731->70760 70732 23d89f4 GetPEB 70733 23d8a2c 70732->70733 70734 23d87e5 70736 23d8842 70734->70736 70737 23d8832 GetPEB 70734->70737 70734->70757 70738 23d884c GetPEB 70736->70738 70739 23d885b 70736->70739 70737->70736 70738->70739 70743 23d8883 70739->70743 70744 23d8873 GetPEB 70739->70744 70740->70731 70766 23d01ea 70740->70766 70742 23d7911 GetPEB 70741->70742 70746 23d792c 70741->70746 70742->70746 70745 23d888d GetPEB 70743->70745 70751 23d88b5 70743->70751 70744->70743 70747 23d889c 70745->70747 70745->70751 70748 23d7955 GetPEB 70746->70748 70747->70751 70752 23d88a5 GetPEB 70747->70752 70748->70760 70749 23d86dc GetPEB 70749->70757 70750 23d88db GetPEB 70756 23d88eb 70750->70756 70751->70750 70751->70756 70752->70751 70753 23d869c GetPEB 70753->70757 70754 23d8642 70754->70753 70755 23d8945 GetPEB 70755->70757 70758 23d890e 70756->70758 70759 23d88fe GetPEB 70756->70759 70757->70732 70757->70733 70758->70755 70759->70758 70760->70757 70761 23d79f1 70760->70761 70762 23d8307 GetPEB 70760->70762 70761->70749 70761->70754 70761->70757 70763 23d8314 GetPEB 70762->70763 70764 23d832f 70762->70764 70763->70764 70765 23d8355 GetPEB 70764->70765 70765->70761 70798 23d0425 70766->70798 70768 23d0218 70768->70731 70769 23d0214 70769->70768 70771 23d02d1 70769->70771 70825 24028a5 LdrInitializeThunk 70769->70825 70773 23d02db 70771->70773 70827 24028a5 LdrInitializeThunk 70771->70827 70773->70768 70774 2424cdf 70773->70774 70826 24028a5 LdrInitializeThunk 70773->70826 70828 23bf7cf 70774->70828 70777 23d0330 70777->70774 70778 23d036b 70777->70778 70779 2424c03 GetPEB 70778->70779 70780 23d0382 70778->70780 70781 2424c13 GetPEB 70779->70781 70780->70781 70784 23d038d 70780->70784 70782 2424c26 70781->70782 70781->70784 70782->70784 70785 2424c3e GetPEB 70782->70785 70783 2424c69 GetPEB 70786 23d03a4 70783->70786 70784->70783 70784->70786 70785->70784 70788 2424c82 GetPEB 70786->70788 70789 23d03af 70786->70789 70787 2424cad GetPEB 70787->70768 70788->70789 70789->70768 70789->70787 70791 2417844 70790->70791 70836 24028a5 LdrInitializeThunk 70791->70836 70793 241785a 70794 241789a 70793->70794 70795 2417875 70793->70795 70796 23bf7cf LdrInitializeThunk 70793->70796 70794->70734 70797 23bf7cf LdrInitializeThunk 70795->70797 70796->70795 70797->70794 70799 23d043e 70798->70799 70800 2424d47 GetPEB 70799->70800 70804 23d045b 70799->70804 70824 23d0672 70799->70824 70801 2424d53 GetPEB 70800->70801 70800->70804 70801->70804 70803 23d050c 70805 23d051d GetPEB 70803->70805 70803->70824 70804->70803 70804->70824 70833 24028a5 LdrInitializeThunk 70804->70833 70806 2424e52 70805->70806 70807 23d052e 70805->70807 70806->70807 70808 2424e5b GetPEB 70806->70808 70809 2424e6e GetPEB 70807->70809 70813 23d053c 70807->70813 70808->70807 70809->70813 70810 23d062e GetPEB 70811 2424f05 70810->70811 70812 23d0642 70810->70812 70811->70812 70814 2424f0e GetPEB 70811->70814 70815 2424f21 GetPEB 70812->70815 70816 23d0650 70812->70816 70813->70810 70814->70812 70815->70816 70818 2424f34 70815->70818 70817 23d0653 GetPEB 70816->70817 70819 2424f70 70817->70819 70822 23d0664 70817->70822 70818->70816 70821 2424f3d GetPEB 70818->70821 70820 2424f79 GetPEB 70819->70820 70819->70822 70820->70822 70821->70816 70823 2424f95 GetPEB 70822->70823 70822->70824 70823->70824 70824->70769 70824->70824 70825->70771 70826->70777 70827->70771 70834 2402925 LdrInitializeThunk 70828->70834 70830 23bf7f7 70830->70768 70831 23bf7e9 70831->70830 70835 2402925 LdrInitializeThunk 70831->70835 70833->70803 70834->70831 70835->70830 70836->70793 70837 23d39f5 70838 23d3a9c 70837->70838 70839 23d3a73 70837->70839 70840 23d3ae4 GetPEB 70838->70840 70841 23d3ac3 70838->70841 70842 23d3b06 70840->70842 70843 23d3af1 70840->70843 70845 23d3b10 GetPEB 70842->70845 70847 23d3b1f 70842->70847 70843->70842 70844 23d3af6 GetPEB 70843->70844 70844->70842 70845->70847 70846 23d3cd5 70848 23d3d1c GetPEB 70846->70848 70869 23d3d35 70846->70869 70847->70846 70849 23d4bd2 70847->70849 70856 23d3bbc 70847->70856 70848->70869 70850 23d4c1f GetPEB 70849->70850 70851 23d4c35 70849->70851 70850->70851 70852 23d4c7d GetPEB 70851->70852 70853 23d4c96 70851->70853 70852->70853 70854 23bf7cf LdrInitializeThunk 70853->70854 70855 23d4cc3 70854->70855 70857 23d4ce5 70855->70857 70858 23d4cd2 GetPEB 70855->70858 70862 23d4cef GetPEB 70857->70862 70872 23d4d17 70857->70872 70858->70857 70859 23d4004 GetPEB 70861 23d4011 GetPEB 70859->70861 70868 23d402c 70859->70868 70860 23d4493 70860->70856 70863 23d44db GetPEB 70860->70863 70861->70868 70865 23d4cfe 70862->70865 70862->70872 70866 23d44e8 GetPEB 70863->70866 70874 23d4503 70863->70874 70864 23d423c GetPEB 70867 23d4249 GetPEB 70864->70867 70875 23d3f61 70864->70875 70865->70872 70873 23d4d07 GetPEB 70865->70873 70866->70874 70867->70875 70871 23d4052 GetPEB 70868->70871 70869->70856 70869->70859 70869->70875 70870 23d4d47 GetPEB 70876 23d4d5a 70870->70876 70871->70875 70872->70870 70872->70876 70873->70872 70877 23d452c GetPEB 70874->70877 70875->70856 70875->70860 70875->70864 70878 23d428a GetPEB 70875->70878 70876->70856 70879 23d4d6d GetPEB 70876->70879 70877->70856 70878->70875 70879->70856 70880 244e257 70881 244e28e 70880->70881 70887 244e2eb 70880->70887 70881->70887 70888 2402845 LdrInitializeThunk 70881->70888 70882 244e3ff 70885 244e2e5 70885->70887 70889 2402895 LdrInitializeThunk 70885->70889 70887->70882 70890 2402815 LdrInitializeThunk 70887->70890 70888->70885 70889->70887 70890->70882 70891 4060d3 send 70892 406126 70891->70892 70893 40b1d4 70894 40b1e0 __EH_prolog3_catch 70893->70894 70904 421644 70894->70904 70897 418761 new KiUserExceptionDispatcher 70898 40b250 70897->70898 70908 4028d1 70898->70908 70900 40b260 __Getcoll 70901 40b51e 70900->70901 70902 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70900->70902 70903 40b41d __Getcoll 70902->70903 70905 42165d std::_Locinfo::_Locinfo_ctor 70904->70905 70917 420eae 70905->70917 70907 40b215 70907->70897 70909 4028e0 __EH_prolog3_catch_GS 70908->70909 70922 401337 70909->70922 70912 401337 KiUserExceptionDispatcher 70913 402912 70912->70913 70914 401337 KiUserExceptionDispatcher 70913->70914 70916 40291e 70914->70916 70915 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70915->70916 70916->70915 70918 420ec0 std::_Locinfo::_Locinfo_ctor 70917->70918 70920 420ed7 _memcpy_s std::_Locinfo::_Locinfo_ctor _free 70918->70920 70921 41e77f WSAStartup GetPEB __Getcvt __fassign 70918->70921 70920->70907 70921->70920 70923 401343 __EH_prolog3_catch 70922->70923 70924 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70923->70924 70925 4013a6 70924->70925 70925->70912 70929 2402795 LdrInitializeThunk 70930 401bdc 70931 401c41 __floor_pentium4 70930->70931 70932 40194b KiUserExceptionDispatcher 70931->70932 70933 401c71 __ExceptionPtr::_CallCopyCtor 70932->70933 70935 2400265 70936 240028a 70935->70936 70937 24002a0 70936->70937 70941 2402c65 LdrInitializeThunk 70936->70941 70939 2400298 70939->70937 70942 2402815 LdrInitializeThunk 70939->70942 70941->70939 70942->70937 70944 40b6e8 70945 40b6f4 70944->70945 70957 407e37 70945->70957 70948 40b7c8 70977 407f3d KiUserExceptionDispatcher __CxxThrowException@8 70948->70977 70950 40b812 70952 405ab1 KiUserExceptionDispatcher 70952->70948 70956 405abe KiUserExceptionDispatcher 70956->70948 70958 407e43 __EH_prolog3_catch 70957->70958 70978 402503 70958->70978 70961 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70962 407eb5 70961->70962 70962->70952 70962->70956 70963 405bb4 70962->70963 70967 4058ea 70962->70967 70970 405bbd 70962->70970 70973 4058e1 70962->70973 70964 405bbd 70963->70964 70982 402009 70964->70982 70994 40155f 70967->70994 70971 402009 KiUserExceptionDispatcher 70970->70971 70972 405c00 70971->70972 70972->70948 70974 4058ea 70973->70974 70975 40155f KiUserExceptionDispatcher 70974->70975 70976 405940 70975->70976 70976->70948 70977->70950 70979 40250f __EH_prolog3_catch 70978->70979 70980 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70979->70980 70981 40256e 70980->70981 70981->70961 70983 402015 __EH_prolog3_catch 70982->70983 70984 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70983->70984 70985 40206e 70984->70985 70988 401d5a 70985->70988 70989 401d66 __EH_prolog3_catch 70988->70989 70990 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70989->70990 70991 401dbf 70990->70991 70992 40194b KiUserExceptionDispatcher 70991->70992 70993 401e04 70992->70993 70993->70948 70995 40156b __EH_prolog3_catch 70994->70995 70996 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 70995->70996 70997 401601 70996->70997 70998 40194b KiUserExceptionDispatcher 70997->70998 70999 401646 70998->70999 71002 401ab9 70999->71002 71003 401ac5 __EH_prolog3_catch 71002->71003 71004 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 71003->71004 71005 401b1e 71004->71005 71008 401891 71005->71008 71009 40189d __EH_prolog3_catch 71008->71009 71010 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 71009->71010 71011 401652 71010->71011 71011->70948 71012 406aea 71013 40155f KiUserExceptionDispatcher 71012->71013 71014 406b33 71013->71014 71015 58910e2 71016 58910ed 71015->71016 71017 58910f2 71015->71017 71033 5898152 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 71016->71033 71021 5890fec 71017->71021 71020 5891100 71023 5890ff8 type_info::_Type_info_dtor 71021->71023 71022 5891045 71031 5891095 type_info::_Type_info_dtor 71022->71031 71086 588e370 71022->71086 71023->71022 71023->71031 71034 5890e88 71023->71034 71027 5891075 71028 5890e88 __CRT_INIT@12 149 API calls 71027->71028 71027->71031 71028->71031 71029 588e370 ___DllMainCRTStartup 515 API calls 71030 589106c 71029->71030 71032 5890e88 __CRT_INIT@12 149 API calls 71030->71032 71031->71020 71032->71027 71033->71017 71035 5890e94 type_info::_Type_info_dtor 71034->71035 71036 5890e9c 71035->71036 71037 5890f16 71035->71037 71090 589190b HeapCreate 71036->71090 71039 5890f1c 71037->71039 71040 5890f77 71037->71040 71046 5890f3a 71039->71046 71053 5890ea5 type_info::_Type_info_dtor 71039->71053 71100 5891bd6 66 API calls _doexit 71039->71100 71041 5890f7c 71040->71041 71042 5890fd5 71040->71042 71105 5893b90 TlsGetValue 71041->71105 71042->71053 71133 5893e94 79 API calls __freefls@4 71042->71133 71043 5890ea1 71045 5890eac 71043->71045 71043->71053 71091 5893f02 86 API calls 5 library calls 71045->71091 71051 5890f4e 71046->71051 71101 5897ceb 67 API calls _free 71046->71101 71104 5890f61 70 API calls __mtterm 71051->71104 71053->71022 71055 5890eb1 __RTC_Initialize 71058 5890eb5 71055->71058 71063 5890ec1 GetCommandLineA 71055->71063 71092 5891929 HeapDestroy 71058->71092 71059 5890f44 71102 5893be1 70 API calls _free 71059->71102 71060 5890f99 DecodePointer 71068 5890fae 71060->71068 71093 589806f 71 API calls 2 library calls 71063->71093 71064 5890eba 71064->71053 71065 5890f49 71103 5891929 HeapDestroy 71065->71103 71070 5890fc9 71068->71070 71071 5890fb2 71068->71071 71069 5890ed1 71094 5897aa6 73 API calls __calloc_crt 71069->71094 71127 588f529 71070->71127 71114 5893c1e 71071->71114 71075 5890edb 71082 5890edf 71075->71082 71096 5897fb4 95 API calls 3 library calls 71075->71096 71076 5890fb9 GetCurrentThreadId 71076->71053 71079 5890eeb 71085 5890eff 71079->71085 71097 5897d3e 94 API calls 6 library calls 71079->71097 71095 5893be1 70 API calls _free 71082->71095 71083 5890ef4 71083->71085 71098 58919e9 77 API calls 4 library calls 71083->71098 71085->71064 71099 5897ceb 67 API calls _free 71085->71099 71087 588e379 71086->71087 71088 588e39f 71086->71088 71087->71088 71089 588e381 CreateThread WaitForSingleObject 71087->71089 71088->71027 71088->71029 71089->71088 71176 588de70 71089->71176 71090->71043 71091->71055 71092->71064 71093->71069 71094->71075 71095->71058 71096->71079 71097->71083 71098->71085 71099->71082 71100->71046 71101->71059 71102->71065 71103->71051 71104->71053 71106 5890f81 71105->71106 71107 5893ba5 DecodePointer TlsSetValue 71105->71107 71108 5894424 71106->71108 71107->71106 71111 589442d 71108->71111 71110 5890f8d 71110->71053 71110->71060 71111->71110 71112 589444b Sleep 71111->71112 71134 589a5e2 71111->71134 71113 5894460 71112->71113 71113->71110 71113->71111 71145 58941f0 71114->71145 71116 5893c2a GetModuleHandleW 71146 5898d4b 71116->71146 71118 5893c68 InterlockedIncrement 71153 5893cc0 71118->71153 71121 5898d4b __lock 64 API calls 71122 5893c89 71121->71122 71156 5894c36 InterlockedIncrement 71122->71156 71124 5893ca7 71168 5893cc9 71124->71168 71126 5893cb4 type_info::_Type_info_dtor 71126->71076 71128 588f55d _free 71127->71128 71129 588f534 RtlFreeHeap 71127->71129 71128->71053 71129->71128 71130 588f549 71129->71130 71175 588f80b 66 API calls __getptd_noexit 71130->71175 71132 588f54f GetLastError 71132->71128 71133->71053 71135 589a5ee 71134->71135 71141 589a609 71134->71141 71136 589a5fa 71135->71136 71135->71141 71143 588f80b 66 API calls __getptd_noexit 71136->71143 71137 589a61c HeapAlloc 71137->71141 71142 589a643 71137->71142 71139 589a5ff 71139->71111 71141->71137 71141->71142 71144 5891e20 DecodePointer 71141->71144 71142->71111 71143->71139 71144->71141 71145->71116 71147 5898d60 71146->71147 71148 5898d73 EnterCriticalSection 71146->71148 71171 5898c89 66 API calls 8 library calls 71147->71171 71148->71118 71150 5898d66 71150->71148 71172 5891be5 66 API calls 3 library calls 71150->71172 71173 5898c72 LeaveCriticalSection 71153->71173 71155 5893c82 71155->71121 71157 5894c54 InterlockedIncrement 71156->71157 71158 5894c57 71156->71158 71157->71158 71159 5894c61 InterlockedIncrement 71158->71159 71160 5894c64 71158->71160 71159->71160 71161 5894c6e InterlockedIncrement 71160->71161 71162 5894c71 71160->71162 71161->71162 71163 5894c7b InterlockedIncrement 71162->71163 71164 5894c7e 71162->71164 71163->71164 71165 5894c97 InterlockedIncrement 71164->71165 71166 5894ca7 InterlockedIncrement 71164->71166 71167 5894cb2 InterlockedIncrement 71164->71167 71165->71164 71166->71164 71167->71124 71174 5898c72 LeaveCriticalSection 71168->71174 71170 5893cd0 71170->71126 71171->71150 71173->71155 71174->71170 71175->71132 71217 5890430 71176->71217 71179 588ded4 71181 588f5f7 77 API calls 71179->71181 71180 588def7 71182 588deff 71180->71182 71183 588df04 GetLocalTime wsprintfW SetUnhandledExceptionFilter 71180->71183 71184 588dedb 71181->71184 71361 5887610 14 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 71182->71361 71221 588f919 71183->71221 71187 588f919 290 API calls 71184->71187 71189 588deed CloseHandle 71187->71189 71189->71180 71193 588f766 66 API calls __NMSG_WRITE 71197 588df82 71193->71197 71194 588e09e EnumWindows 71195 588e0ba 71194->71195 71194->71197 72020 5885c90 IsWindowVisible GetWindowTextW 71194->72020 71196 588e0c0 Sleep EnumWindows 71195->71196 71196->71196 71196->71197 72021 5885c90 2 API calls 71196->72021 71197->71193 71197->71194 71198 588e10b Sleep 71197->71198 71199 5890430 67 API calls 71197->71199 71200 588e14e CreateEventA 71197->71200 71254 5882da0 ResetEvent InterlockedExchange timeGetTime socket 71197->71254 71198->71197 71199->71197 71275 588f766 71200->71275 71203 588e1c8 Sleep RegOpenKeyExW 71204 588e1fe RegQueryValueExW 71203->71204 71206 588e184 71203->71206 71204->71206 71206->71203 71210 588e23b 71206->71210 71284 588c9b0 RegOpenKeyExW 71206->71284 71295 5885430 71206->71295 71207 588e247 CloseHandle 71207->71197 71208 588f919 290 API calls 71208->71210 71209 588e29f Sleep 71209->71210 71210->71207 71210->71208 71210->71209 71211 588e320 WaitForSingleObject CloseHandle 71210->71211 71212 5890430 67 API calls 71210->71212 71213 588e2dd Sleep CloseHandle 71210->71213 71214 588e2cd WaitForSingleObject CloseHandle 71210->71214 71211->71210 71215 588e33a Sleep CloseHandle 71212->71215 71213->71197 71214->71213 71215->71197 71218 589041a 71217->71218 71363 5890d0d 71218->71363 71222 588f929 71221->71222 71223 588f93d 71221->71223 71386 588f80b 66 API calls __getptd_noexit 71222->71386 71225 5893b90 ___set_flsgetvalue 3 API calls 71223->71225 71227 588f943 71225->71227 71226 588f92e 71387 5891fd2 11 API calls _strcpy_s 71226->71387 71228 5894424 __calloc_crt 66 API calls 71227->71228 71230 588f94f 71228->71230 71232 588f9a0 71230->71232 71381 5893d4b 71230->71381 71231 588df63 CloseHandle 71242 588f5f7 71231->71242 71234 588f529 _free 66 API calls 71232->71234 71236 588f9a6 71234->71236 71236->71231 71388 588f831 66 API calls 3 library calls 71236->71388 71237 5893c1e __getptd_noexit 66 API calls 71238 588f965 CreateThread 71237->71238 71238->71231 71241 588f998 GetLastError 71238->71241 71404 588f8b4 71238->71404 71241->71232 71245 588f601 71242->71245 71244 588df74 71244->71197 71362 5882c90 8 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 71244->71362 71245->71244 71250 588f61d std::exception::exception 71245->71250 71680 588f563 71245->71680 71697 5891e20 DecodePointer 71245->71697 71247 588f65b 71699 588f504 66 API calls std::exception::operator= 71247->71699 71249 588f665 71700 5891105 RaiseException 71249->71700 71250->71247 71698 588fae7 76 API calls __cinit 71250->71698 71253 588f676 71255 5882e08 71254->71255 71256 5882e1c lstrlenW WideCharToMultiByte 71254->71256 71257 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71255->71257 71709 588eee4 71256->71709 71259 5882e16 71257->71259 71259->71197 71260 5882e42 lstrlenW WideCharToMultiByte gethostbyname 71261 5882e79 ctype 71260->71261 71262 5882e80 htons connect 71261->71262 71263 5882eb6 71261->71263 71262->71263 71264 5882ecb setsockopt setsockopt setsockopt setsockopt 71262->71264 71265 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71263->71265 71267 5882f72 InterlockedExchange 71264->71267 71268 5882f44 WSAIoctl 71264->71268 71266 5882ec5 71265->71266 71266->71197 71269 588f919 290 API calls 71267->71269 71268->71267 71270 5882f99 71269->71270 71271 588f919 290 API calls 71270->71271 71272 5882fb1 71271->71272 71273 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71272->71273 71274 5882fc6 71273->71274 71274->71197 71276 588f77b 71275->71276 71277 588f774 71275->71277 71710 588f80b 66 API calls __getptd_noexit 71276->71710 71277->71276 71281 588f79c 71277->71281 71280 588f78a 71280->71206 71281->71280 71712 588f80b 66 API calls __getptd_noexit 71281->71712 71283 588f780 71711 5891fd2 11 API calls _strcpy_s 71283->71711 71285 588cbc9 71284->71285 71286 588c9ff RegQueryInfoKeyW 71284->71286 71285->71206 71286->71285 71287 588ca2e 71286->71287 71288 588cbb0 71287->71288 71293 588ca76 _memset _memcpy_s 71287->71293 71289 588cbbc RegCloseKey 71288->71289 71289->71285 71290 588ca98 RegEnumValueW 71290->71293 71292 588f5f7 77 API calls 71292->71293 71293->71288 71293->71290 71293->71292 71713 588d2f0 99 API calls 71293->71713 71714 588ce60 77 API calls 71293->71714 71296 588f5f7 77 API calls 71295->71296 71297 588545f _memset 71296->71297 71298 58854a0 gethostname gethostbyname 71297->71298 71299 58854cc inet_ntoa 71298->71299 71300 5885563 7 API calls 71298->71300 71829 58902bd 66 API calls _strcpy_s 71299->71829 71715 5887480 LoadLibraryW 71300->71715 71303 58854ec 71830 58902bd 66 API calls _strcpy_s 71303->71830 71310 5885517 inet_ntoa 71831 58902bd 66 API calls _strcpy_s 71310->71831 71311 58856ac GetWindowTextW 71312 58856bf lstrlenW 71311->71312 71314 5886d40 11 API calls 71312->71314 71316 58856dd 71314->71316 71315 5885505 71315->71300 71315->71310 71832 58902bd 66 API calls _strcpy_s 71315->71832 71318 58856f2 71316->71318 71319 588f766 __NMSG_WRITE 66 API calls 71316->71319 71320 588f766 __NMSG_WRITE 66 API calls 71318->71320 71319->71318 71321 5885708 lstrlenW 71320->71321 71322 5886d40 11 API calls 71321->71322 71323 5885729 71322->71323 71324 5885741 GetModuleHandleW GetProcAddress 71323->71324 71325 588f766 __NMSG_WRITE 66 API calls 71323->71325 71326 588579f GetSystemInfo 71324->71326 71327 5885794 GetNativeSystemInfo 71324->71327 71328 588573e 71325->71328 71329 58857ac wsprintfW 71326->71329 71327->71329 71328->71324 71752 5886a40 71329->71752 71333 58857fb OpenProcess 71334 588585e 71333->71334 71336 5885817 GetProcessImageFileNameW 71333->71336 71773 5886660 CoInitialize CoCreateInstance 71334->71773 71338 5885837 71336->71338 71341 588582e CloseHandle 71336->71341 71337 5885863 71342 588f766 __NMSG_WRITE 66 API calls 71337->71342 71833 58880e0 86 API calls 2 library calls 71338->71833 71341->71334 71343 588588a 71342->71343 71778 5886460 71343->71778 71345 5885899 71797 5886120 71345->71797 71351 58858cd 71824 5890296 71351->71824 71354 5885973 71355 5885a00 79 API calls 71354->71355 71356 58859cb 71355->71356 71360 5883160 77 API calls 71356->71360 71357 58859e1 ctype 71358 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71357->71358 71359 58859fb 71358->71359 71359->71206 71360->71357 71361->71183 71362->71197 71366 5890b4b 71363->71366 71369 5890b5d 71366->71369 71367 5890b63 71377 588f80b 66 API calls __getptd_noexit 71367->71377 71368 5890b8c 71374 5890ba8 wcstoxl 71368->71374 71379 5897a51 GetStringTypeW 71368->71379 71369->71367 71369->71368 71371 5890b68 71378 5891fd2 11 API calls _strcpy_s 71371->71378 71376 588deba Sleep 71374->71376 71380 588f80b 66 API calls __getptd_noexit 71374->71380 71376->71179 71376->71180 71377->71371 71378->71376 71379->71368 71380->71376 71389 5893cd2 GetLastError 71381->71389 71383 5893d53 71384 588f95c 71383->71384 71403 5891be5 66 API calls 3 library calls 71383->71403 71384->71237 71386->71226 71387->71231 71388->71231 71390 5893b90 ___set_flsgetvalue 3 API calls 71389->71390 71391 5893ce9 71390->71391 71392 5893d3f SetLastError 71391->71392 71393 5894424 __calloc_crt 62 API calls 71391->71393 71392->71383 71394 5893cfd 71393->71394 71394->71392 71395 5893d05 DecodePointer 71394->71395 71396 5893d1a 71395->71396 71397 5893d1e 71396->71397 71398 5893d36 71396->71398 71399 5893c1e __getptd_noexit 62 API calls 71397->71399 71400 588f529 _free 62 API calls 71398->71400 71401 5893d26 GetCurrentThreadId 71399->71401 71402 5893d3c 71400->71402 71401->71392 71402->71392 71405 5893b90 ___set_flsgetvalue 3 API calls 71404->71405 71406 588f8bf 71405->71406 71419 5893b70 TlsGetValue 71406->71419 71409 588f8f8 71421 5893d65 71409->71421 71410 588f8ce 71469 5893bc4 DecodePointer 71410->71469 71412 588f913 71457 588f873 71412->71457 71416 588f8dd 71417 588f8ee GetCurrentThreadId 71416->71417 71418 588f8e1 GetLastError ExitThread 71416->71418 71417->71412 71420 588f8ca 71419->71420 71420->71409 71420->71410 71424 5893d71 type_info::_Type_info_dtor 71421->71424 71422 5893e73 type_info::_Type_info_dtor 71422->71412 71423 5893d89 71426 5893d97 71423->71426 71427 588f529 _free 66 API calls 71423->71427 71424->71422 71424->71423 71425 588f529 _free 66 API calls 71424->71425 71425->71423 71428 5893da5 71426->71428 71429 588f529 _free 66 API calls 71426->71429 71427->71426 71430 5893db3 71428->71430 71431 588f529 _free 66 API calls 71428->71431 71429->71428 71432 5893dc1 71430->71432 71433 588f529 _free 66 API calls 71430->71433 71431->71430 71434 5893dcf 71432->71434 71435 588f529 _free 66 API calls 71432->71435 71433->71432 71436 5893ddd 71434->71436 71437 588f529 _free 66 API calls 71434->71437 71435->71434 71438 5893dee 71436->71438 71439 588f529 _free 66 API calls 71436->71439 71437->71436 71440 5898d4b __lock 66 API calls 71438->71440 71439->71438 71441 5893df6 71440->71441 71442 5893e1b 71441->71442 71443 5893e02 InterlockedDecrement 71441->71443 71470 5893e7f LeaveCriticalSection _doexit 71442->71470 71443->71442 71444 5893e0d 71443->71444 71444->71442 71447 588f529 _free 66 API calls 71444->71447 71446 5893e28 71448 5898d4b __lock 66 API calls 71446->71448 71447->71442 71449 5893e2f 71448->71449 71456 5893e60 71449->71456 71471 5894cc5 8 API calls 71449->71471 71452 5893e6d 71454 588f529 _free 66 API calls 71452->71454 71453 5893e44 71453->71456 71472 5894d5e 66 API calls 4 library calls 71453->71472 71454->71422 71473 5893e8b LeaveCriticalSection _doexit 71456->71473 71458 588f87f type_info::_Type_info_dtor 71457->71458 71459 5893d4b __getptd 66 API calls 71458->71459 71460 588f884 71459->71460 71474 5882fd0 71460->71474 71483 5885f10 CreateMutexW GetLastError 71460->71483 71500 58830e0 71460->71500 71461 588f88e 71507 588f854 71461->71507 71463 588f894 71464 589407d __XcptFilter 66 API calls 71463->71464 71465 588f8a5 71464->71465 71469->71416 71470->71446 71471->71453 71472->71456 71473->71452 71480 5882ff3 71474->71480 71475 588308d 71528 588eefa 71475->71528 71476 5883034 select 71476->71475 71476->71480 71478 58830b8 71478->71461 71479 5883052 recv 71479->71480 71480->71475 71480->71476 71480->71479 71482 588f80b 66 API calls _strcpy_s 71480->71482 71513 5883360 71480->71513 71482->71480 71484 5885f4d 71483->71484 71495 5885f6b _memset 71483->71495 71485 5885f50 Sleep CreateMutexW GetLastError 71484->71485 71485->71485 71485->71495 71486 5885fd2 GetModuleHandleW GetConsoleWindow 71671 588e3e0 17 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 71486->71671 71488 5885ff7 71490 5885ffe 71488->71490 71491 5886017 71488->71491 71489 5885f8e lstrlenW 71659 5886d40 71489->71659 71493 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71490->71493 71672 588e740 51 API calls 3 library calls 71491->71672 71496 5886011 71493->71496 71495->71486 71495->71489 71498 5885fc2 Sleep 71495->71498 71499 5885fb2 lstrcmpW 71495->71499 71496->71461 71498->71486 71498->71495 71499->71486 71499->71498 71501 5883148 71500->71501 71503 58830f4 71500->71503 71501->71461 71502 5883108 Sleep 71502->71503 71503->71501 71503->71502 71505 5883160 77 API calls 71503->71505 71676 5882d30 71503->71676 71504 5883124 timeGetTime 71504->71503 71505->71504 71508 5893cd2 __getptd_noexit 66 API calls 71507->71508 71509 588f85e 71508->71509 71510 588f869 ExitThread 71509->71510 71679 5893e94 79 API calls __freefls@4 71509->71679 71512 588f868 71512->71510 71514 5883376 71513->71514 71536 5881100 71514->71536 71516 58834f1 71516->71480 71517 58834d6 71518 58811b0 70 API calls 71517->71518 71519 58834e8 71518->71519 71519->71480 71520 5883413 timeGetTime 71544 58811b0 71520->71544 71523 5883388 _memcpy_s _memmove 71523->71516 71523->71517 71523->71520 71524 58811b0 70 API calls 71523->71524 71553 5881060 71523->71553 71557 588b79d 71523->71557 71560 588acf0 RegOpenKeyExW 71523->71560 71590 588ad7b InterlockedExchange 71523->71590 71524->71523 71529 588ef02 71528->71529 71530 588ef04 IsDebuggerPresent 71528->71530 71529->71478 71658 58981ed 71530->71658 71533 589121e SetUnhandledExceptionFilter UnhandledExceptionFilter 71534 589123b __call_reportfault 71533->71534 71535 5891243 GetCurrentProcess TerminateProcess 71533->71535 71534->71535 71535->71478 71537 588110b 71536->71537 71538 5881111 71536->71538 71537->71523 71595 588f280 71538->71595 71540 5881134 VirtualAlloc 71541 588116f _memcpy_s 71540->71541 71542 5881198 71541->71542 71543 588118a VirtualFree 71541->71543 71542->71523 71543->71542 71545 58811bd 71544->71545 71546 58811c6 71545->71546 71547 588f280 __floor_pentium4 68 API calls 71545->71547 71546->71523 71548 58811ee 71547->71548 71549 588121b VirtualAlloc 71548->71549 71550 5881214 71548->71550 71551 5881236 _memcpy_s 71549->71551 71550->71523 71552 5881247 VirtualFree 71551->71552 71552->71523 71554 5881071 71553->71554 71555 5881100 70 API calls 71554->71555 71556 5881081 _memcpy_s 71555->71556 71556->71523 71606 588ba60 71557->71606 71559 588b7a3 71559->71523 71561 588ad50 71560->71561 71562 588ad34 RegQueryValueExW 71560->71562 71563 588b7ac 71561->71563 71564 588adc1 71561->71564 71565 588afc3 71561->71565 71562->71561 71563->71523 71564->71563 71567 588f5f7 77 API calls 71564->71567 71566 588f5f7 77 API calls 71565->71566 71570 588afcd _memset _memcpy_s 71566->71570 71568 588add8 _memset 71567->71568 71569 588ae02 wsprintfW 71568->71569 71574 588ae19 71568->71574 71569->71574 71571 588f5f7 77 API calls 71570->71571 71572 588b021 71571->71572 71616 588ce60 77 API calls 71572->71616 71576 588ae7a _memcpy_s ctype _memmove 71574->71576 71577 588af8e 71574->71577 71575 588b05e _memcpy_s 71581 588b0b5 RegCreateKeyW 71575->71581 71585 588b140 71575->71585 71576->71523 71579 588f919 281 API calls 71577->71579 71578 588f919 281 API calls 71580 588b15a CloseHandle 71578->71580 71582 588afa3 CloseHandle 71579->71582 71580->71523 71583 588b12b RegCloseKey 71581->71583 71584 588b0d1 71581->71584 71586 588afb7 ctype 71582->71586 71583->71585 71617 5885a00 71584->71617 71585->71578 71586->71523 71589 588b122 71589->71583 71591 588b7b5 71590->71591 71592 588ada5 71590->71592 71591->71523 71643 5883160 GetCurrentThreadId 71592->71643 71596 588f28d 71595->71596 71597 5891646 __ctrlfp __floor_pentium4 71595->71597 71596->71597 71598 588f2be 71596->71598 71599 58916b4 __floor_pentium4 71597->71599 71601 5891691 71597->71601 71603 58916a1 __ctrlfp 71597->71603 71600 589136a ___libm_error_support 67 API calls 71598->71600 71604 588f308 71598->71604 71602 5898887 __except1 67 API calls 71599->71602 71599->71603 71600->71604 71605 5898832 __floor_pentium4 66 API calls 71601->71605 71602->71603 71603->71540 71604->71540 71605->71603 71607 588f5f7 77 API calls 71606->71607 71608 588ba73 _memset 71607->71608 71609 588ba86 GetLastInputInfo GetTickCount wsprintfW GetForegroundWindow 71608->71609 71610 588bae9 71609->71610 71611 588bad9 GetWindowTextW 71609->71611 71612 588bbd0 157 API calls 71610->71612 71611->71610 71613 588bb06 71612->71613 71614 588bb1e _memcpy_s ctype 71613->71614 71615 5883160 77 API calls 71613->71615 71614->71559 71615->71614 71616->71575 71618 5885a80 71617->71618 71618->71618 71619 58882f0 77 API calls 71618->71619 71620 5885a99 71619->71620 71621 58882f0 77 API calls 71620->71621 71622 5885abd 71620->71622 71621->71622 71624 58882f0 77 API calls 71622->71624 71625 5885adf 71622->71625 71623 5885b69 71627 5885b99 71623->71627 71634 58882f0 77 API calls 71623->71634 71624->71625 71626 5885b09 71625->71626 71628 58882f0 77 API calls 71625->71628 71629 58882f0 77 API calls 71626->71629 71630 5885b39 71626->71630 71631 5888730 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 71627->71631 71628->71626 71629->71630 71630->71623 71632 58882f0 77 API calls 71630->71632 71633 5885bf4 71631->71633 71632->71623 71635 58890c0 77 API calls 71633->71635 71634->71627 71636 5885bfe MultiByteToWideChar 71635->71636 71638 5885c29 71636->71638 71639 5885c2c MultiByteToWideChar 71636->71639 71638->71639 71640 5885c42 ctype 71639->71640 71641 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71640->71641 71642 5885c89 RegDeleteValueW RegSetValueExW 71641->71642 71642->71583 71642->71589 71644 5883178 71643->71644 71645 588318e 71643->71645 71646 5883180 InterlockedExchange 71644->71646 71647 5881100 70 API calls 71645->71647 71646->71645 71646->71646 71648 58831af 71647->71648 71649 5881100 70 API calls 71648->71649 71650 58831d6 71649->71650 71651 5881060 70 API calls 71650->71651 71652 5883205 71651->71652 71653 5883260 send send 71652->71653 71654 588321f 71653->71654 71655 58811b0 70 API calls 71654->71655 71656 588322f GetCurrentThreadId 71655->71656 71657 588323f 71656->71657 71657->71523 71658->71533 71673 5896660 71659->71673 71662 5886df2 71664 5886e01 RegQueryValueExW 71662->71664 71667 5886de3 71662->71667 71666 5886e39 lstrcmpW 71664->71666 71664->71667 71665 5886e87 71669 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71665->71669 71666->71667 71668 5886e5b lstrcpyW 71666->71668 71675 5886ea9 RegCloseKey RegCloseKey 71667->71675 71668->71667 71670 5886ea5 71669->71670 71670->71495 71671->71488 71674 5886dba RegOpenKeyExW 71673->71674 71674->71662 71674->71667 71675->71665 71677 5882d90 71676->71677 71678 5882d41 setsockopt CancelIo InterlockedExchange closesocket SetEvent 71676->71678 71677->71503 71678->71677 71679->71512 71681 588f5e0 71680->71681 71686 588f571 71680->71686 71707 5891e20 DecodePointer 71681->71707 71683 588f57c 71683->71686 71701 5891dd8 66 API calls 2 library calls 71683->71701 71702 5891c29 66 API calls 7 library calls 71683->71702 71703 5891968 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 71683->71703 71684 588f5e6 71708 588f80b 66 API calls __getptd_noexit 71684->71708 71686->71683 71688 588f59f RtlAllocateHeap 71686->71688 71691 588f5cc 71686->71691 71695 588f5ca 71686->71695 71704 5891e20 DecodePointer 71686->71704 71688->71686 71689 588f5d8 71688->71689 71689->71245 71705 588f80b 66 API calls __getptd_noexit 71691->71705 71706 588f80b 66 API calls __getptd_noexit 71695->71706 71697->71245 71698->71247 71699->71249 71700->71253 71701->71683 71702->71683 71704->71686 71705->71695 71706->71689 71707->71684 71708->71689 71710->71283 71711->71280 71712->71283 71713->71293 71714->71293 71716 588749c GetProcAddress 71715->71716 71717 588561e GetSystemInfo wsprintfW 71715->71717 71718 58874b0 71716->71718 71719 5887587 FreeLibrary 71716->71719 71730 5886c20 71717->71730 71834 588f748 71718->71834 71719->71717 71721 58874e4 71837 5887400 GetModuleHandleW GetProcAddress 71721->71837 71725 588755d 71726 5887572 RegCloseKey 71725->71726 71728 588fafe __NMSG_WRITE 66 API calls 71725->71728 71727 5887582 71726->71727 71727->71719 71729 588756f 71728->71729 71729->71726 71731 5886c43 GetDriveTypeW 71730->71731 71732 5886ca0 71731->71732 71733 5886c66 GetDiskFreeSpaceExW 71731->71733 71732->71731 71734 5886ca6 _memset 71732->71734 71733->71732 71735 5886cb6 GlobalMemoryStatusEx 71734->71735 71736 588f748 swprintf 97 API calls 71735->71736 71737 5886d0e 71736->71737 71738 588f748 swprintf 97 API calls 71737->71738 71739 5886d21 71738->71739 71740 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71739->71740 71741 588568a 71740->71741 71742 5886ed0 CreateDXGIFactory 71741->71742 71745 58873bb ctype _memmove 71742->71745 71747 5886f48 71742->71747 71743 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71744 588569f GetForegroundWindow 71743->71744 71744->71311 71744->71312 71745->71743 71748 5888420 77 API calls 71747->71748 71751 5887094 ctype _memmove 71747->71751 71748->71747 71749 5888420 77 API calls 71749->71751 71750 588f748 97 API calls swprintf 71750->71751 71751->71745 71751->71749 71751->71750 71863 588ee29 67 API calls 2 library calls 71751->71863 71864 588eee4 71752->71864 71754 5886a5f GetCurrentProcessId wsprintfW 71755 58868e0 99 API calls 71754->71755 71756 5886a83 _memset 71755->71756 71757 5886a97 GetVersionExW 71756->71757 71758 5886ab9 71757->71758 71759 5886bb6 71757->71759 71758->71759 71761 5886ad3 GetCurrentProcess OpenProcessToken 71758->71761 71760 5886be4 wsprintfW 71759->71760 71763 5886bf4 71760->71763 71761->71759 71762 5886af7 GetTokenInformation 71761->71762 71764 5886b19 GetLastError 71762->71764 71765 5886b8b CloseHandle 71762->71765 71766 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71763->71766 71764->71765 71767 5886b24 LocalAlloc 71764->71767 71769 5886ba0 71765->71769 71768 58857eb GetCurrentProcessId 71766->71768 71767->71765 71770 5886b3d GetTokenInformation 71767->71770 71768->71333 71768->71334 71769->71759 71769->71760 71769->71763 71771 5886b7e LocalFree 71770->71771 71772 5886b5f GetSidSubAuthorityCount GetSidSubAuthority 71770->71772 71771->71765 71772->71771 71774 588668c 71773->71774 71776 5886694 71773->71776 71774->71337 71775 588674d CoUninitialize 71775->71337 71776->71774 71776->71775 71777 5886717 SysFreeString 71776->71777 71777->71776 71779 5896660 _memset 71778->71779 71780 5886497 RegOpenKeyExW 71779->71780 71781 58865fe lstrlenW 71780->71781 71782 58864c0 RegQueryInfoKeyW 71780->71782 71783 5886643 71781->71783 71784 5886610 71781->71784 71782->71783 71795 5886502 _memset 71782->71795 71785 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71783->71785 71787 588fafe __NMSG_WRITE 66 API calls 71784->71787 71788 588664f 71785->71788 71786 58865fc 71786->71781 71789 588662d 71787->71789 71788->71345 71790 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71789->71790 71791 588663f 71790->71791 71791->71345 71792 58865ee RegCloseKey 71792->71786 71793 5886563 RegEnumKeyExW lstrlenW 71794 588659e lstrlenW 71793->71794 71793->71795 71794->71795 71795->71786 71795->71792 71795->71793 71796 588ff99 66 API calls __NMSG_WRITE 71795->71796 71796->71795 71798 5886160 _memset 71797->71798 71799 58861d1 CoCreateInstance 71798->71799 71806 588618b lstrcatW lstrcatW 71798->71806 71865 5886020 71798->71865 71800 58863f2 lstrlenW 71799->71800 71809 58861fe _memset 71799->71809 71801 5886411 71800->71801 71802 5886401 lstrcatW 71800->71802 71805 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71801->71805 71802->71801 71804 58863da 71804->71800 71807 58858a4 71805->71807 71806->71798 71813 588fafe 71807->71813 71808 58862a3 wsprintfW RegOpenKeyExW 71808->71809 71809->71804 71809->71808 71810 588634b RegQueryValueExW 71809->71810 71811 58863ac RegCloseKey 71810->71811 71812 588638c lstrcatW lstrcatW 71810->71812 71811->71809 71812->71811 71817 588fb10 71813->71817 71814 588fb14 71815 58858b6 GetTickCount 71814->71815 71880 588f80b 66 API calls __getptd_noexit 71814->71880 71822 589032a GetSystemTimeAsFileTime 71815->71822 71817->71814 71817->71815 71820 588fb57 71817->71820 71818 588fb30 71881 5891fd2 11 API calls _strcpy_s 71818->71881 71820->71815 71882 588f80b 66 API calls __getptd_noexit 71820->71882 71823 589035a __aulldiv 71822->71823 71823->71351 71883 5896842 71824->71883 71826 5885904 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 71826->71354 71827 58902a1 71827->71826 71893 589000e 71827->71893 71829->71303 71830->71315 71831->71315 71832->71315 71833->71341 71841 589061c 71834->71841 71836 588f761 71836->71721 71838 588743e GetNativeSystemInfo 71837->71838 71839 5887446 GetSystemInfo 71837->71839 71840 5887450 RegOpenKeyExW RegQueryValueExW 71838->71840 71839->71840 71840->71725 71840->71726 71842 589063c 71841->71842 71843 5890627 71841->71843 71844 589064a 71842->71844 71846 5890657 71842->71846 71857 588f80b 66 API calls __getptd_noexit 71843->71857 71859 588f80b 66 API calls __getptd_noexit 71844->71859 71860 5890526 97 API calls 2 library calls 71846->71860 71848 589062c 71858 5891fd2 11 API calls _strcpy_s 71848->71858 71849 589064f 71862 5891fd2 11 API calls _strcpy_s 71849->71862 71852 589066e 71855 589068f 71852->71855 71861 588f80b 66 API calls __getptd_noexit 71852->71861 71853 5890637 71853->71836 71855->71836 71857->71848 71858->71853 71859->71849 71860->71852 71861->71849 71862->71855 71863->71751 71866 5896660 _memset 71865->71866 71867 5886051 CreateToolhelp32Snapshot 71866->71867 71868 5886065 71867->71868 71869 5886076 Process32FirstW 71867->71869 71870 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71868->71870 71871 58860e5 CloseHandle 71869->71871 71875 5886093 71869->71875 71872 5886072 71870->71872 71873 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71871->71873 71872->71798 71874 58860fa 71873->71874 71874->71798 71876 58860fe CloseHandle 71875->71876 71877 58860d7 Process32NextW 71875->71877 71878 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 71876->71878 71877->71871 71877->71875 71879 5886117 71878->71879 71879->71798 71880->71818 71881->71815 71882->71818 71884 5893cd2 __getptd_noexit 66 API calls 71883->71884 71885 589684a 71884->71885 71886 5896850 71885->71886 71888 5896865 71885->71888 71889 5896874 71885->71889 71934 588f80b 66 API calls __getptd_noexit 71886->71934 71935 58943df 66 API calls _malloc 71888->71935 71889->71827 71891 5896855 71891->71827 71892 589686c 71892->71886 71892->71889 71894 589002a 71893->71894 71895 589003d _memset 71893->71895 71954 588f80b 66 API calls __getptd_noexit 71894->71954 71898 5890055 71895->71898 71899 5890066 71895->71899 71897 589002f 71955 5891fd2 11 API calls _strcpy_s 71897->71955 71956 588f80b 66 API calls __getptd_noexit 71898->71956 71903 5890084 71899->71903 71904 5890095 71899->71904 71902 589005a 71957 5891fd2 11 API calls _strcpy_s 71902->71957 71958 588f80b 66 API calls __getptd_noexit 71903->71958 71936 58962f3 71904->71936 71908 589009a 71944 58965bc 71908->71944 71910 58900a3 71911 589028b 71910->71911 71959 58965e9 66 API calls _strcpy_s 71910->71959 71951 5891f80 71911->71951 71914 5890295 71916 5896842 __localtime64 66 API calls 71914->71916 71915 58900b5 71915->71911 71960 5896616 71915->71960 71918 58902a1 71916->71918 71920 58902b0 71918->71920 71922 589000e __localtime64_s 102 API calls 71918->71922 71919 58900c7 71919->71911 71921 58900d0 71919->71921 71920->71826 71923 5890143 71921->71923 71925 58900e3 71921->71925 71922->71920 71970 5896383 66 API calls 4 library calls 71923->71970 71967 5896383 66 API calls 4 library calls 71925->71967 71927 589014a 71933 5890039 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 71927->71933 71971 5896342 66 API calls 4 library calls 71927->71971 71928 58900fb 71928->71933 71968 5896342 66 API calls 4 library calls 71928->71968 71931 5890110 71931->71933 71969 5896383 66 API calls 4 library calls 71931->71969 71933->71826 71934->71891 71935->71892 71937 58962ff type_info::_Type_info_dtor 71936->71937 71938 5896333 type_info::_Type_info_dtor 71937->71938 71939 5898d4b __lock 66 API calls 71937->71939 71938->71908 71940 5896310 71939->71940 71941 5896321 71940->71941 71972 5895c12 71940->71972 72003 5896339 LeaveCriticalSection _doexit 71941->72003 71945 58965c8 71944->71945 71946 58965dd 71944->71946 72010 588f80b 66 API calls __getptd_noexit 71945->72010 71946->71910 71948 58965cd 72011 5891fd2 11 API calls _strcpy_s 71948->72011 71950 58965d8 71950->71910 72012 5891e57 71951->72012 71954->71897 71955->71933 71956->71902 71957->71933 71958->71933 71959->71915 71961 5896622 71960->71961 71962 5896637 71960->71962 72018 588f80b 66 API calls __getptd_noexit 71961->72018 71962->71919 71964 5896627 72019 5891fd2 11 API calls _strcpy_s 71964->72019 71966 5896632 71966->71919 71967->71928 71968->71931 71969->71933 71970->71927 71971->71933 71973 5895c1e type_info::_Type_info_dtor 71972->71973 71974 5898d4b __lock 66 API calls 71973->71974 71975 5895c39 __tzset_nolock 71974->71975 71976 5896616 __tzset_nolock 66 API calls 71975->71976 71977 5895c4e 71976->71977 71979 58965bc __tzset_nolock 66 API calls 71977->71979 71980 5895d16 __tzset_nolock 71977->71980 71978 5891f80 __invoke_watson 10 API calls 71978->71980 71981 5895c60 71979->71981 71980->71978 71982 5895d36 GetTimeZoneInformation 71980->71982 71983 588f529 _free 66 API calls 71980->71983 71987 5895d9d WideCharToMultiByte 71980->71987 71989 5895dd5 WideCharToMultiByte 71980->71989 71993 589a6d2 66 API calls __tzset_nolock 71980->71993 72001 5895f06 __tzset_nolock type_info::_Type_info_dtor 71980->72001 72002 589b0c0 79 API calls __tzset_nolock 71980->72002 72009 5895e95 LeaveCriticalSection _doexit 71980->72009 71981->71980 72004 58965e9 66 API calls _strcpy_s 71981->72004 71982->71980 71983->71980 71985 5895c72 71985->71980 72005 589b008 74 API calls 2 library calls 71985->72005 71987->71980 71988 5895c80 72006 589b0d6 99 API calls 3 library calls 71988->72006 71989->71980 71992 5895cd9 _strlen 72007 58943df 66 API calls _malloc 71992->72007 71993->71980 71994 5895ca2 __tzset_nolock 71994->71980 71994->71992 71996 5895cd3 71994->71996 71997 588f529 _free 66 API calls 71996->71997 71997->71992 71998 5895ce7 _strlen 71998->71980 72008 5891818 66 API calls _strcpy_s 71998->72008 72000 5895d0b 72000->71980 72001->71941 72002->71980 72003->71938 72004->71985 72005->71988 72006->71994 72007->71998 72008->72000 72009->71980 72010->71948 72011->71950 72013 5891e76 _memset __call_reportfault 72012->72013 72014 5891e94 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 72013->72014 72016 5891f62 __call_reportfault 72014->72016 72015 588eefa __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 72017 5891f7e GetCurrentProcess TerminateProcess 72015->72017 72016->72015 72017->71914 72018->71964 72019->71966 72022 40b4ac 72023 40b417 72022->72023 72024 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72023->72024 72025 40b51e 72023->72025 72026 40b41d __Getcoll 72024->72026 72027 4073ad 72028 4020ca KiUserExceptionDispatcher 72027->72028 72029 4073ff 72028->72029 72030 40155f KiUserExceptionDispatcher 72029->72030 72031 407408 72030->72031 72032 40e3f0 72033 40e442 72032->72033 72038 409c22 72033->72038 72037 40ea1d 72039 409c30 ___scrt_initialize_default_local_stdio_options 72038->72039 72045 4201a7 72039->72045 72041 409c48 72042 409c7a 72041->72042 72050 4024d4 72042->72050 72046 4201ec 72045->72046 72048 4201d7 _memcpy_s _free 72045->72048 72046->72048 72049 41e0b6 WSAStartup GetPEB 72046->72049 72048->72041 72049->72048 72051 4024ea ___scrt_initialize_default_local_stdio_options 72050->72051 72054 420295 72051->72054 72057 41e282 72054->72057 72056 4024f8 72056->72037 72058 41e2c2 72057->72058 72062 41e2aa _memcpy_s __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z _free 72057->72062 72058->72062 72063 41e77f WSAStartup GetPEB __Getcvt __fassign 72058->72063 72060 41e2da 72064 41ee9c WSAStartup GetPEB _memcpy_s std::_Locinfo::_Locinfo_ctor _free 72060->72064 72062->72056 72063->72060 72064->72062 72068 407477 72069 40194b KiUserExceptionDispatcher 72068->72069 72070 4074bf 72069->72070 72071 4020ca KiUserExceptionDispatcher 72070->72071 72072 4074ca 72071->72072 72077 4086f1 72072->72077 72081 408269 72072->72081 72098 40824c 72072->72098 72073 4074d0 72078 4086fa _memcpy_s __ExceptionPtr::_CallCopyCtor 72077->72078 72115 4027fe 72078->72115 72082 4082aa 72081->72082 72083 408a8f codecvt 72081->72083 72084 4082b5 72082->72084 72087 408ad1 __ExceptionPtr::_CallCopyCtor 72082->72087 72083->72073 72085 4084e0 72084->72085 72086 408a83 72084->72086 72088 40852e 72085->72088 72095 4086fa _memcpy_s __ExceptionPtr::_CallCopyCtor 72085->72095 72089 40803f KiUserExceptionDispatcher 72086->72089 72092 408d6e RegCreateKeyW 72087->72092 72094 408dc6 72087->72094 72091 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72088->72091 72089->72083 72093 4085ce 72091->72093 72092->72094 72093->72073 72135 40803f 72094->72135 72096 4027fe KiUserExceptionDispatcher 72095->72096 72097 4089cd 72096->72097 72097->72073 72099 40825b __EH_prolog3_catch 72098->72099 72100 408a8f codecvt 72099->72100 72101 408ad1 __ExceptionPtr::_CallCopyCtor 72099->72101 72102 4082b5 72099->72102 72100->72073 72109 408d6e RegCreateKeyW 72101->72109 72111 408dc6 72101->72111 72103 4084e0 72102->72103 72104 408a83 72102->72104 72105 40852e 72103->72105 72112 4086fa _memcpy_s __ExceptionPtr::_CallCopyCtor 72103->72112 72106 40803f KiUserExceptionDispatcher 72104->72106 72108 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72105->72108 72106->72100 72107 40803f KiUserExceptionDispatcher 72107->72100 72110 4085ce 72108->72110 72109->72111 72110->72073 72111->72107 72113 4027fe KiUserExceptionDispatcher 72112->72113 72114 4089cd 72113->72114 72114->72073 72116 40280a __EH_prolog3_catch 72115->72116 72117 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72116->72117 72118 402863 72117->72118 72119 4028bd 72118->72119 72120 405ab1 KiUserExceptionDispatcher 72118->72120 72123 405abe KiUserExceptionDispatcher 72118->72123 72124 4059ec 72118->72124 72129 4059e3 72118->72129 72119->72073 72120->72119 72123->72119 72125 40155f KiUserExceptionDispatcher 72124->72125 72126 405a3b 72125->72126 72127 40155f KiUserExceptionDispatcher 72126->72127 72128 405a4b 72127->72128 72128->72119 72130 4059ec 72129->72130 72131 40155f KiUserExceptionDispatcher 72130->72131 72132 405a3b 72131->72132 72133 40155f KiUserExceptionDispatcher 72132->72133 72134 405a4b 72133->72134 72134->72119 72136 40804b __EH_prolog3_catch 72135->72136 72137 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72136->72137 72137->72136 72138 40e37a 72139 40bb46 3 API calls 72138->72139 72140 40e383 72139->72140 72155 40bc00 72140->72155 72148 40e397 72188 40c25b 72148->72188 72150 40e39c 72151 409c22 2 API calls 72150->72151 72152 40e667 72151->72152 72153 409c7a 2 API calls 72152->72153 72154 40ea1d 72153->72154 72156 40bc0c __EH_prolog3_catch 72155->72156 72157 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72156->72157 72158 40bc25 72157->72158 72159 40bc8c 72158->72159 72160 40bc98 __EH_prolog3_catch_GS 72159->72160 72161 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72160->72161 72162 40bcca 72161->72162 72163 40bdc1 72162->72163 72164 40bdcd __EH_prolog3_catch 72163->72164 72165 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72164->72165 72166 40bdf8 GetCursorPos 72165->72166 72168 40be3e GetCursorPos 72166->72168 72169 40be49 GetCursorPos 72168->72169 72194 40bd45 72169->72194 72171 40be62 72172 40bd45 KiUserExceptionDispatcher 72171->72172 72173 40be7d 72172->72173 72174 40bd45 KiUserExceptionDispatcher 72173->72174 72175 40be98 72174->72175 72176 40bfe0 72175->72176 72177 40bfef __EH_prolog3_catch_GS 72176->72177 72178 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72177->72178 72179 40c032 72178->72179 72180 40ef6c KiUserExceptionDispatcher 72179->72180 72181 40c0a7 72180->72181 72198 40bee3 72181->72198 72183 40c0bc 72184 410a2b KiUserExceptionDispatcher 72183->72184 72185 40c0f2 72184->72185 72204 4109f5 72185->72204 72187 40c10a std::system_error::system_error 72187->72148 72189 40c267 __EH_prolog3_catch_GS 72188->72189 72190 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72189->72190 72191 40c2a4 72190->72191 72192 40f1f6 std::system_error::system_error KiUserExceptionDispatcher 72191->72192 72193 40c2c5 std::system_error::system_error 72192->72193 72193->72150 72195 40bd51 __EH_prolog3_catch 72194->72195 72196 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72195->72196 72197 40bd6a 72196->72197 72197->72171 72199 40beef __EH_prolog3_catch 72198->72199 72200 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72199->72200 72201 40bf42 72200->72201 72208 40fc8f 72201->72208 72203 40bfa6 72203->72183 72205 410a0f std::system_error::system_error 72204->72205 72206 40f0d5 std::system_error::system_error KiUserExceptionDispatcher 72205->72206 72207 410a1b 72206->72207 72207->72187 72209 40fcd2 72208->72209 72210 40fc9e 72208->72210 72215 414b3c KiUserExceptionDispatcher std::invalid_argument::invalid_argument __CxxThrowException@8 72209->72215 72212 40fac9 std::system_error::system_error KiUserExceptionDispatcher 72210->72212 72214 40fca6 collate 72212->72214 72214->72203 72219 401e7d 72220 401ee2 __floor_pentium4 72219->72220 72221 401891 KiUserExceptionDispatcher 72220->72221 72222 401f03 72221->72222 72223 401f07 72222->72223 72224 40194b KiUserExceptionDispatcher 72222->72224 72225 401f26 __ExceptionPtr::_CallCopyCtor 72224->72225 72226 40b57d 72227 40b58b 72226->72227 72228 421644 std::_Locinfo::_Locinfo_ctor 2 API calls 72227->72228 72229 40b5a8 72228->72229 72235 40b5b4 72229->72235 72244 40339a 72229->72244 72247 40427e setsockopt setsockopt 72229->72247 72248 403b79 72229->72248 72250 404459 72229->72250 72252 4045ce WSAIoctl 72229->72252 72253 404275 72229->72253 72255 4045c5 72229->72255 72257 403d6c 72229->72257 72264 403d63 72229->72264 72271 404462 setsockopt 72229->72271 72272 403382 72229->72272 72275 404541 setsockopt 72229->72275 72277 403b82 socket 72229->72277 72245 4033e9 72244->72245 72246 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72245->72246 72246->72245 72247->72235 72249 403b82 socket 72248->72249 72249->72235 72251 404462 setsockopt 72250->72251 72251->72235 72252->72235 72254 40427e setsockopt setsockopt 72253->72254 72254->72235 72256 4045ce WSAIoctl 72255->72256 72256->72235 72258 403e31 72257->72258 72259 403ee9 gethostbyname 72258->72259 72260 403f87 codecvt 72259->72260 72261 404015 htons connect 72260->72261 72262 403fce 72260->72262 72263 4041cc 72261->72263 72262->72235 72263->72235 72265 403d6c 72264->72265 72266 403ee9 gethostbyname 72265->72266 72267 403f87 codecvt 72266->72267 72268 404015 htons connect 72267->72268 72269 403fce 72267->72269 72270 4041cc 72268->72270 72269->72235 72270->72235 72271->72235 72273 40338e __EH_prolog3_catch_GS 72272->72273 72274 41b2ca __CxxThrowException@8 KiUserExceptionDispatcher 72273->72274 72274->72273 72276 404569 72275->72276 72277->72235 72278 23bd485 72286 23e3625 72278->72286 72280 23bd499 72281 23bd4cc 72280->72281 72289 2402845 LdrInitializeThunk 72280->72289 72282 23bd4e3 72281->72282 72290 2402845 LdrInitializeThunk 72281->72290 72285 241a690 72291 2402955 LdrInitializeThunk 72286->72291 72288 23e364e 72288->72280 72289->72281 72290->72285 72291->72288 72292 24028bf 72293 24028d4 LdrInitializeThunk 72292->72293 72294 24028c6 72292->72294

                    Executed Functions

                    Function 0040DC56 Relevance: 93.2, APIs: 5, Strings: 48, Instructions: 486COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 40dc56-40dc73 call 418d30 4 40dc84-40dc8b call 407832 0->4 5 40dc75-40dc82 call 407832 0->5 10 40dc90-40dcb8 call 410818 call 410a9e 4->10 5->10 16 40dcd2 10->16 17 40dcba-40dcc5 10->17 18 40dcd5-40dcd7 16->18 19 40dcc7-40dccc 17->19 20 40dcce-40dcd0 17->20 21 40dce8-40dcef call 407832 18->21 22 40dcd9-40dce6 call 407832 18->22 19->20 19->22 20->18 27 40dcf4-40dd51 call 410818 call 410a9e call 226aeaf call 435360 21->27 22->27 37 40dd53 27->37 38 40dd6b-40dd72 call 407832 27->38 39 40dd55-40dd5a 37->39 40 40dd5c-40dd69 call 407832 37->40 45 40dd77-40dd8c call 410818 call 410a9e call 40c700 38->45 39->38 39->40 40->45 52 40dd9d-40dda4 call 407832 45->52 53 40dd8e-40dd9b call 407832 45->53 58 40dda9-40ddbe call 410818 call 410a9e call 40cb1e 52->58 53->58 65 40ddc0-40ddcd call 407832 58->65 66 40ddcf-40ddd6 call 407832 58->66 71 40dddb-40ddff call 410818 call 410a9e call 418ef0 65->71 66->71 79 40de01 71->79 80 40de19-40de20 call 407832 71->80 81 40de03-40de08 79->81 82 40de0a-40de17 call 407832 79->82 87 40de25-40de53 call 410818 call 410a9e 80->87 81->80 81->82 82->87 92 40de55-40de75 call 407832 call 410818 call 410a9e 87->92 93 40de77-40de96 call 407832 call 410818 call 410a9e 87->93 106 40de97-40de9e call 40ccb4 92->106 93->106 109 40dea0-40deac call 407832 106->109 110 40deae-40deb5 call 407832 106->110 115 40deba-40decf call 410818 call 410a9e call 40c523 109->115 110->115 122 40ded1-40dedd call 407832 115->122 123 40dedf-40dee6 call 407832 115->123 128 40deeb-40df00 call 410818 call 410a9e call 40cdbf 122->128 123->128 135 40df10-40df17 call 407832 128->135 136 40df02-40df0e call 407832 128->136 141 40df1c-40df31 call 410818 call 410a9e call 40cef5 135->141 136->141 148 40df41-40df48 call 407832 141->148 149 40df33-40df3f call 407832 141->149 154 40df4d-40df62 call 410818 call 410a9e call 40d249 148->154 149->154 161 40df72-40df79 call 407832 154->161 162 40df64-40df70 call 407832 154->162 167 40df7e-40df93 call 410818 call 410a9e call 40d4b8 161->167 162->167 174 40dfa3-40dfaa call 407832 167->174 175 40df95-40dfa1 call 407832 167->175 180 40dfaf-40dfc4 call 410818 call 410a9e call 40d734 174->180 175->180 187 40dfd4-40dfdb call 407832 180->187 188 40dfc6-40dfd2 call 407832 180->188 193 40dfe0-40e01b call 410818 call 410a9e call 40ef6c call 40d79e call 40f82d 187->193 188->193 204 40e02c-40e033 call 407832 193->204 205 40e01d-40e02a call 407832 193->205 210 40e038-40e04d call 410818 call 410a9e call 40bb46 204->210 205->210 217 40e05e-40e065 call 407832 210->217 218 40e04f-40e05c call 407832 210->218 223 40e06a-40e07f call 410818 call 410a9e call 40d868 217->223 218->223 230 40e090-40e097 call 407832 223->230 231 40e081-40e08e call 407832 223->231 236 40e09c-40e0b6 call 410818 call 410a9e 230->236 231->236 241 40e0d3-40e0da call 407832 236->241 242 40e0b8-40e0c2 236->242 248 40e0df-40e0f4 call 410818 call 410a9e call 40d9ee 241->248 242->241 243 40e0c4-40e0d1 call 407832 242->243 243->248 255 40e105-40e10c call 407832 248->255 256 40e0f6-40e103 call 407832 248->256 261 40e111-40e126 call 410818 call 410a9e call 40db3e 255->261 256->261 268 40e137-40e13e call 407832 261->268 269 40e128-40e135 call 407832 261->269 274 40e143-40e182 call 410818 call 410a9e GetCursorPos * 2 268->274 269->274 280 40e184-40e18a 274->280 281 40e19b-40e1a2 call 407832 274->281 280->281 282 40e18c-40e199 call 407832 280->282 286 40e1a7-40e1b5 call 410818 call 410a9e 281->286 282->286 292 40e1b7-40e1dc 286->292 295 40e1f3-40e1fb call 407832 292->295 296 40e1de-40e1e2 292->296 301 40e200-40e21e call 410818 call 410a9e call 407832 call 418cda 295->301 296->292 298 40e1e4-40e1f1 call 407832 296->298 298->301
                    APIs
                    • __EH_prolog3_GS.LIBCMT ref: 0040DC5D
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040DD4A
                      • Part of subcall function 00410818: __EH_prolog3_catch.LIBCMT ref: 0041081F
                    • __aulldiv.LIBCMT ref: 0040DDF8
                    • GetCursorPos.USER32(?), ref: 0040E169
                    • GetCursorPos.USER32(?), ref: 0040E17A
                    Strings
                    • Detect as physical environment based on mouse movement.[-], xrefs: 0040E1A2
                    • Detect as a VM based on executable run path.[+], xrefs: 0040E057
                    • Detect as physical environment based on MAC address prefix.[-], xrefs: 0040DF48
                    • @, xrefs: 0040DCA6
                    • Detect as a VM based on mouse movement.[+], xrefs: 0040E194
                    • Detect as physical environment based on system boot time.[-], xrefs: 0040DE20
                    • Detect as physical environment based on CPU temperature.[-], xrefs: 0040DEE6
                    • Detect as physical environment based on NetBIOS name.[-], xrefs: 0040DFAA
                    • VoidWalker, xrefs: 0040DFEE
                    • Detect as a VM based on current process filename.[+], xrefs: 0040E025
                    • Detect as a VM based on temp file count.[+], xrefs: 0040DEA7
                    • Detect as a VM based on hardware information.[+], xrefs: 0040DDC8
                    • Detect as a VM based on total disk size.[+], xrefs: 0040DD64
                    • Detect as physical environment based on Hyper-V presence.[-], xrefs: 0040DE81
                    • Detect as a VM based on RDTSC timing.[+], xrefs: 0040E1EC
                    • @TD, xrefs: 0040DC90, 0040E200
                    • \\.\PhysicalDrive0, xrefs: 0040DD0E
                    • Detect as physical environment based on hardware information.[-], xrefs: 0040DDD6
                    • Detect as a VM based on the number of CPU cores.[+], xrefs: 0040DC7D
                    • Detect as a VM based on motherboard info.[+], xrefs: 0040E130
                    • Detect as physical environment based on motherboard info.[-], xrefs: 0040E13E
                    • Detect as a VM based on CPU temperature.[+], xrefs: 0040DED8
                    • Detect as a VM based on power capabilities.[+], xrefs: 0040E0CC
                    • Detect as physical environment based on the number of CPU cores.[-], xrefs: 0040DC8B
                    • Detect as physical environment based on current process filename.[-], xrefs: 0040E033
                    • Detect as a VM based on DLLs loaded.[+], xrefs: 0040E089
                    • Detect as physical environment based on executable run path.[-], xrefs: 0040E065
                    • Detect as physical environment based on GPU memory.[-], xrefs: 0040DF17
                    • Detect as physical environment based on physical memory size.[-], xrefs: 0040DCEF
                    • Detect as a VM based on NetBIOS name.[+], xrefs: 0040DF9C
                    • Detect as a VM based on Hyper-V presence.[+], xrefs: 0040DE5F
                    • Detect as physical environment based on power capabilities.[-], xrefs: 0040E0DA
                    • Detect as a VM based on MAC address prefix.[+], xrefs: 0040DF3A
                    • Detect as a VM based on license values.[+], xrefs: 0040E0FE
                    • Detect as a VM based on physical memory size.[+], xrefs: 0040DCE1
                    • Detect as a VM based on usernames.[+], xrefs: 0040DF6B
                    • Detect as physical environment based on rundll32 parent process.[-], xrefs: 0040DFDB
                    • Detect as physical environment based on RDTSC timing.[-], xrefs: 0040E1FB
                    • Detect as physical environment based on temp file count.[-], xrefs: 0040DEB5
                    • Detect as physical environment based on total disk size.[-], xrefs: 0040DD72
                    • Detect as physical environment based on specific processes.[-], xrefs: 0040DDA4
                    • Detect as a VM based on GPU memory.[+], xrefs: 0040DF09
                    • Detect as a VM based on system boot time.[+], xrefs: 0040DE12
                    • Detect as a VM based on specific processes.[+], xrefs: 0040DD96
                    • Detect as physical environment based on usernames.[-], xrefs: 0040DF79
                    • Detect as physical environment based on DLLs loaded.[-], xrefs: 0040E097
                    • Detect as a VM based on rundll32 parent process.[+], xrefs: 0040DFCD
                    • Detect as physical environment based on license values.[-], xrefs: 0040E10C
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cursor$H_prolog3_H_prolog3_catchUnothrow_t@std@@@__aulldiv__ehfuncinfo$??2@
                    • String ID: @$@TD$Detect as a VM based on CPU temperature.[+]$Detect as a VM based on DLLs loaded.[+]$Detect as a VM based on GPU memory.[+]$Detect as a VM based on Hyper-V presence.[+]$Detect as a VM based on MAC address prefix.[+]$Detect as a VM based on NetBIOS name.[+]$Detect as a VM based on RDTSC timing.[+]$Detect as a VM based on current process filename.[+]$Detect as a VM based on executable run path.[+]$Detect as a VM based on hardware information.[+]$Detect as a VM based on license values.[+]$Detect as a VM based on motherboard info.[+]$Detect as a VM based on mouse movement.[+]$Detect as a VM based on physical memory size.[+]$Detect as a VM based on power capabilities.[+]$Detect as a VM based on rundll32 parent process.[+]$Detect as a VM based on specific processes.[+]$Detect as a VM based on system boot time.[+]$Detect as a VM based on temp file count.[+]$Detect as a VM based on the number of CPU cores.[+]$Detect as a VM based on total disk size.[+]$Detect as a VM based on usernames.[+]$Detect as physical environment based on CPU temperature.[-]$Detect as physical environment based on DLLs loaded.[-]$Detect as physical environment based on GPU memory.[-]$Detect as physical environment based on Hyper-V presence.[-]$Detect as physical environment based on MAC address prefix.[-]$Detect as physical environment based on NetBIOS name.[-]$Detect as physical environment based on RDTSC timing.[-]$Detect as physical environment based on current process filename.[-]$Detect as physical environment based on executable run path.[-]$Detect as physical environment based on hardware information.[-]$Detect as physical environment based on license values.[-]$Detect as physical environment based on motherboard info.[-]$Detect as physical environment based on mouse movement.[-]$Detect as physical environment based on physical memory size.[-]$Detect as physical environment based on power capabilities.[-]$Detect as physical environment based on rundll32 parent process.[-]$Detect as physical environment based on specific processes.[-]$Detect as physical environment based on system boot time.[-]$Detect as physical environment based on temp file count.[-]$Detect as physical environment based on the number of CPU cores.[-]$Detect as physical environment based on total disk size.[-]$Detect as physical environment based on usernames.[-]$VoidWalker$\\.\PhysicalDrive0
                    • API String ID: 2337057263-1148611144
                    • Opcode ID: 89195aa43a705b2d82cbe94d82dcd2d5688d9cd5c86b34a1c6ad5e9790caa631
                    • Instruction ID: 80c3a512bf09a135a5fd71949b2be695d2aede728182df62d3a464da82110bad
                    • Opcode Fuzzy Hash: 89195aa43a705b2d82cbe94d82dcd2d5688d9cd5c86b34a1c6ad5e9790caa631
                    • Instruction Fuzzy Hash: 17E16E71F4430496EB14B7B658566AE1216AF90708F20D83FB5027F2C7CFBCD886869E
                    Function 05885430 Relevance: 91.4, APIs: 40, Strings: 12, Instructions: 429stringnetworklibraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 312 5885430-58854c6 call 588f5f7 call 5896660 * 3 gethostname gethostbyname 321 58854cc-5885513 inet_ntoa call 58902bd * 2 312->321 322 5885563-58856aa MultiByteToWideChar * 2 GetLastInputInfo GetTickCount wsprintfW MultiByteToWideChar * 2 call 5887480 GetSystemInfo wsprintfW call 5886c20 call 5886ed0 GetForegroundWindow 312->322 321->322 332 5885515 321->332 335 58856ac-58856b9 GetWindowTextW 322->335 336 58856bf-58856e3 lstrlenW call 5886d40 322->336 334 5885517-5885561 inet_ntoa call 58902bd * 2 332->334 334->322 335->336 342 58856f5-588572f call 588f766 lstrlenW call 5886d40 336->342 343 58856e5-58856f2 call 588f766 336->343 351 5885741-5885792 GetModuleHandleW GetProcAddress 342->351 352 5885731-588573e call 588f766 342->352 343->342 354 588579f-58857a6 GetSystemInfo 351->354 355 5885794-588579d GetNativeSystemInfo 351->355 352->351 357 58857ac-58857ba 354->357 355->357 358 58857bc-58857c4 357->358 359 58857c6-58857cb 357->359 358->359 360 58857cd 358->360 361 58857d2-58857f9 wsprintfW call 5886a40 GetCurrentProcessId 359->361 360->361 364 58857fb-5885815 OpenProcess 361->364 365 588585e-5885865 call 5886660 361->365 364->365 367 5885817-588582c GetProcessImageFileNameW 364->367 372 5885877-5885884 365->372 373 5885867-5885875 365->373 369 588582e-5885835 367->369 370 5885837-5885846 call 58880e0 367->370 374 5885858 CloseHandle 369->374 377 5885848-588584f 370->377 378 5885851-5885857 370->378 376 5885885-5885971 call 588f766 call 5886460 call 5886120 call 588fafe GetTickCount call 589032a call 5890296 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 372->376 373->376 374->365 391 588599a-58859b9 376->391 392 5885973-5885998 376->392 377->374 378->374 393 58859ba-58859df call 5885a00 call 5883160 391->393 392->393 396 58859e1-58859fe call 588eeef call 588eefa 393->396
                    APIs
                      • Part of subcall function 0588F5F7: _malloc.LIBCMT ref: 0588F611
                    • _memset.LIBCMT ref: 0588546C
                    • _memset.LIBCMT ref: 05885485
                    • _memset.LIBCMT ref: 0588549B
                    • gethostname.WS2_32(?,00000100), ref: 058854AF
                    • gethostbyname.WS2_32(?), ref: 058854BC
                    • inet_ntoa.WS2_32 ref: 058854D4
                    • _strcat_s.LIBCMT ref: 058854E7
                    • _strcat_s.LIBCMT ref: 05885500
                    • inet_ntoa.WS2_32 ref: 05885521
                    • _strcat_s.LIBCMT ref: 05885534
                    • _strcat_s.LIBCMT ref: 0588554D
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0588557A
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0588558E
                    • GetLastInputInfo.USER32(?), ref: 058855A1
                    • GetTickCount.KERNEL32 ref: 058855A7
                    • wsprintfW.USER32 ref: 058855DC
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 058855F2
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 05885609
                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 05885660
                    • wsprintfW.USER32 ref: 05885679
                    • GetForegroundWindow.USER32 ref: 058856A2
                    • GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 058856B9
                    • lstrlenW.KERNEL32(000008CC), ref: 058856C6
                    • lstrlenW.KERNEL32(00000994), ref: 05885712
                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 05885783
                    • GetProcAddress.KERNEL32(00000000), ref: 0588578A
                    • GetNativeSystemInfo.KERNEL32(?), ref: 0588579B
                    • GetSystemInfo.KERNEL32(?), ref: 058857A6
                    • wsprintfW.USER32 ref: 058857DF
                    • GetCurrentProcessId.KERNEL32 ref: 058857F1
                    • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 05885807
                    • GetProcessImageFileNameW.PSAPI(00000000,?,00000104), ref: 05885824
                    • CloseHandle.KERNEL32(?), ref: 05885858
                    • GetTickCount.KERNEL32 ref: 058858B9
                    • __time64.LIBCMT ref: 058858C8
                    • __localtime64.LIBCMT ref: 058858FF
                    • wsprintfW.USER32 ref: 05885938
                    • GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 0588594D
                    • GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 0588595C
                    • GetCurrentHwProfileW.ADVAPI32(?), ref: 05885969
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memset$CountCurrentHandleTickWindowinet_ntoalstrlen$AddressCloseDirectoryFileForegroundImageInputLastLocaleModuleNameNativeOpenProcProfileText__localtime64__time64_mallocgethostbynamegethostname
                    • String ID: $%d min$1.0$AppEvents$GROUP$GetNativeSystemInfo$REMARK$X86$X86 %s$kernel32.dll$x64$x86
                    • API String ID: 9717835-1006841886
                    • Opcode ID: ff368cb4239cfcb06563f9a3e45add9f7abac2156689aa1994d0ff6a89b77eef
                    • Instruction ID: 8dae75140f962dfac6a1b6afaecc78c9611fd4c19260db7eb583ded7a367bf26
                    • Opcode Fuzzy Hash: ff368cb4239cfcb06563f9a3e45add9f7abac2156689aa1994d0ff6a89b77eef
                    • Instruction Fuzzy Hash: 10F1B2B5A40704AFEB24EB64DC85FEB77B8EF48701F004559FA1AD7280EA74AA44CF51
                    Function 0588DE70 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 332sleepregistrysynchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 402 588de70-588ded2 call 5890430 Sleep 405 588ded4-588def1 call 588f5f7 call 588f919 CloseHandle 402->405 406 588def7-588defd 402->406 405->406 408 588deff call 5887610 406->408 409 588df04-588df79 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 588f919 CloseHandle call 588f5f7 406->409 408->409 418 588df88-588df8c 409->418 419 588df7b-588df86 call 5882c90 409->419 421 588df90-588df9b call 588cd40 418->421 419->421 425 588df9d-588dfe2 call 588f766 * 2 421->425 426 588dfe4-588e024 call 588f766 * 2 421->426 435 588e02a-588e03a 425->435 426->435 436 588e07c-588e084 435->436 437 588e03c-588e076 call 588cd40 call 588f766 * 2 435->437 439 588e08c-588e09c 436->439 440 588e086-588e088 436->440 437->436 442 588e09e-588e0b8 EnumWindows 439->442 443 588e0e1-588e109 call 5890430 call 5882da0 439->443 440->439 442->443 446 588e0ba 442->446 453 588e11b-588e1b9 call 5890430 CreateEventA call 588f766 call 588c9b0 443->453 454 588e10b-588e116 Sleep 443->454 449 588e0c0-588e0df Sleep EnumWindows 446->449 449->443 449->449 462 588e1c0-588e1c6 453->462 454->421 463 588e1c8-588e1fc Sleep RegOpenKeyExW 462->463 464 588e220-588e22e call 5885430 462->464 465 588e21a-588e21e 463->465 466 588e1fe-588e214 RegQueryValueExW 463->466 468 588e233-588e239 464->468 465->462 465->464 466->465 469 588e26a-588e270 468->469 470 588e23b-588e265 CloseHandle 468->470 471 588e290 469->471 472 588e272-588e28e call 588f919 469->472 470->421 475 588e294 471->475 472->475 477 588e296-588e29d 475->477 478 588e30b-588e31e 477->478 479 588e29f-588e2ae Sleep 477->479 483 588e330-588e368 call 5890430 Sleep CloseHandle 478->483 484 588e320-588e32a WaitForSingleObject CloseHandle 478->484 479->477 480 588e2b0-588e2b7 479->480 480->478 481 588e2b9-588e2cb 480->481 487 588e2dd-588e306 Sleep CloseHandle 481->487 488 588e2cd-588e2d7 WaitForSingleObject CloseHandle 481->488 483->421 484->483 487->421 488->487
                    APIs
                      • Part of subcall function 05890430: __fassign.LIBCMT ref: 05890426
                    • Sleep.KERNEL32(00000000), ref: 0588DEC4
                    • CloseHandle.KERNEL32(00000000), ref: 0588DEF1
                    • GetLocalTime.KERNEL32(?), ref: 0588DF09
                    • wsprintfW.USER32 ref: 0588DF40
                    • SetUnhandledExceptionFilter.KERNEL32(058875A0), ref: 0588DF4E
                    • CloseHandle.KERNEL32(00000000), ref: 0588DF67
                    • EnumWindows.USER32(05885C90,?), ref: 0588E0B2
                      • Part of subcall function 0588F5F7: _malloc.LIBCMT ref: 0588F611
                    • Sleep.KERNEL32(00004E20), ref: 0588E0C5
                    • EnumWindows.USER32(05885C90,?), ref: 0588E0D9
                    • Sleep.KERNEL32(00000BB8), ref: 0588E110
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0588E153
                    • Sleep.KERNEL32(00000FA0,?,?,?,00000208,103.199.100.130), ref: 0588E1CD
                    • RegOpenKeyExW.KERNEL32 ref: 0588E1F4
                    • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0588E214
                    • CloseHandle.KERNEL32(?), ref: 0588E25F
                      • Part of subcall function 0588F919: ___set_flsgetvalue.LIBCMT ref: 0588F93E
                      • Part of subcall function 0588F919: __calloc_crt.LIBCMT ref: 0588F94A
                      • Part of subcall function 0588F919: __getptd.LIBCMT ref: 0588F957
                      • Part of subcall function 0588F919: CreateThread.KERNEL32(00000000,00000000,0588F8B4,00000000,00000000,0588DF63), ref: 0588F98E
                      • Part of subcall function 0588F919: GetLastError.KERNEL32(?,?,00000000,?,0588DF63,00000000,00000000,05885F10,00000000,00000000,00000000), ref: 0588F998
                      • Part of subcall function 0588F919: _free.LIBCMT ref: 0588F9A1
                      • Part of subcall function 0588F919: __dosmaperr.LIBCMT ref: 0588F9AC
                    • Sleep.KERNEL32(000003E8,?,?,?,00000208,103.199.100.130), ref: 0588E2A4
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000208,103.199.100.130), ref: 0588E2D0
                    • CloseHandle.KERNEL32(?,?,?,00000208,103.199.100.130), ref: 0588E2D7
                    • Sleep.KERNEL32(000003E8,?,?,00000208,103.199.100.130), ref: 0588E2E2
                    • CloseHandle.KERNEL32(?), ref: 0588E300
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000208,103.199.100.130), ref: 0588E323
                    • CloseHandle.KERNEL32(?,?,?,00000208,103.199.100.130), ref: 0588E32A
                    • Sleep.KERNEL32(00000000,?,?,?,?,00000208,103.199.100.130), ref: 0588E344
                    • CloseHandle.KERNEL32(?), ref: 0588E362
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CloseHandleSleep$CreateEnumObjectSingleWaitWindows$ErrorEventExceptionFilterLastLocalOpenQueryThreadTimeUnhandledValue___set_flsgetvalue__calloc_crt__dosmaperr__fassign__getptd_free_mallocwsprintf
                    • String ID: %4d.%2d.%2d-%2d:%2d:%2d$103.199.100.130$103.199.100.130$103.199.100.97$199.100.130$8080$8181$8181$8282$Console$IpDatespecial
                    • API String ID: 3288573104-749776100
                    • Opcode ID: cd3b61d9f2246cd6a9a37fdef66d096b73d21fd2415ff7f55a4f18fb10f06c7b
                    • Instruction ID: c620f51d1094134687cfcd992bec2c1a474fab71959c5c3b15ea868e3fb96e45
                    • Opcode Fuzzy Hash: cd3b61d9f2246cd6a9a37fdef66d096b73d21fd2415ff7f55a4f18fb10f06c7b
                    • Instruction Fuzzy Hash: DEC16EB1654341AFE720EF64D88AE7ABBACFB84704F000919FD56D6281EB74AD44CB53
                    Function 0588BBD0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 491 588bbd0-588bc43 GetDesktopWindow GetDC CreateCompatibleDC GetDC GetDeviceCaps * 2 ReleaseDC 492 588bc45-588bc51 491->492 493 588bc56-588bc5e GetSystemMetrics 491->493 494 588bcd6-588be5f GetSystemMetrics call 58a00b0 GetSystemMetrics call 58a00b0 CreateCompatibleBitmap SelectObject SetStretchBltMode GetSystemMetrics call 58a00b0 GetSystemMetrics call 58a00b0 StretchBlt call 588eee4 call 5896660 GetDIBits call 588eee4 call 5896660 call 5897550 call 588f5f7 492->494 495 588bcab-588bcc9 call 58a00b0 GetSystemMetrics call 58a00b0 493->495 496 588bc60-588bca9 call 58a00b0 GetSystemMetrics call 58a00b0 493->496 525 588be70-588be76 call 588bfc0 494->525 526 588be61-588be6e 494->526 508 588bcce-588bcd3 495->508 496->508 508->494 528 588be7b-588be7d 525->528 526->525 529 588bef9-588bf23 call 588eee4 528->529 530 588be7f-588beaa DeleteObject * 2 ReleaseDC call 588f9b9 528->530 535 588bf29 529->535 536 588bf25-588bf27 529->536 537 588beac-588beb2 call 588f9b9 530->537 538 588beb5-588beb7 530->538 542 588bf2b-588bf66 call 5897550 DeleteObject * 2 ReleaseDC call 588f9b9 535->542 536->542 537->538 539 588beb9-588bebd 538->539 540 588bee4-588bef6 call 588eefa 538->540 543 588beca-588bee1 call 588eeef 539->543 544 588bebf-588bec7 call 588eeef 539->544 556 588bf68-588bf6e call 588f9b9 542->556 557 588bf71-588bf75 542->557 543->540 544->543 556->557 559 588bf82-588bfaf call 588eeef call 588eefa 557->559 560 588bf77-588bf7f call 588eeef 557->560 560->559
                    APIs
                    • GetDesktopWindow.USER32 ref: 0588BBEF
                    • GetDC.USER32(00000000), ref: 0588BBFC
                    • CreateCompatibleDC.GDI32(00000000), ref: 0588BC02
                    • GetDC.USER32(00000000), ref: 0588BC0D
                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 0588BC1A
                    • GetDeviceCaps.GDI32(00000000,00000076), ref: 0588BC22
                    • ReleaseDC.USER32(00000000,00000000), ref: 0588BC33
                    • GetSystemMetrics.USER32(0000004E), ref: 0588BC58
                    • GetSystemMetrics.USER32(0000004F), ref: 0588BC86
                    • GetSystemMetrics.USER32(0000004C), ref: 0588BCD8
                    • GetSystemMetrics.USER32(0000004D), ref: 0588BCED
                    • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0588BD06
                    • SelectObject.GDI32(?,00000000), ref: 0588BD14
                    • SetStretchBltMode.GDI32(?,00000003), ref: 0588BD20
                    • GetSystemMetrics.USER32(0000004F), ref: 0588BD2D
                    • GetSystemMetrics.USER32(0000004E), ref: 0588BD40
                    • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 0588BD67
                    • _memset.LIBCMT ref: 0588BDDA
                    • GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 0588BDF7
                    • _memset.LIBCMT ref: 0588BE0F
                      • Part of subcall function 0588F5F7: _malloc.LIBCMT ref: 0588F611
                    • DeleteObject.GDI32(?), ref: 0588BE83
                    • DeleteObject.GDI32(?), ref: 0588BE8D
                    • ReleaseDC.USER32(00000000,?), ref: 0588BE99
                    • DeleteObject.GDI32(?), ref: 0588BF3F
                    • DeleteObject.GDI32(?), ref: 0588BF49
                    • ReleaseDC.USER32(00000000,?), ref: 0588BF55
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
                    • String ID: ($6$gfff$gfff
                    • API String ID: 3293817703-713438465
                    • Opcode ID: 6b9a73a75af8b97133f3377f789b775ec7978abca7907339da2e1985c2377f98
                    • Instruction ID: c0c22a30f5a8e511b9fd3fef60456d3ed3c8c8c02f25cf92b2bfb26cf1e2cc5e
                    • Opcode Fuzzy Hash: 6b9a73a75af8b97133f3377f789b775ec7978abca7907339da2e1985c2377f98
                    • Instruction Fuzzy Hash: ACD11FB1E01318AFDB14EFA9E849AAEBBB9FF44300F144529F906E7240D774AD45CB51
                    Function 05886A40 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCurrentProcessId.KERNEL32(75A773E0), ref: 05886A64
                    • wsprintfW.USER32 ref: 05886A77
                      • Part of subcall function 058868E0: GetCurrentProcessId.KERNEL32(A97BC7BB,00000000,00000000,75A773E0,?,00000000,058A0FCB,000000FF,?,05886A83,00000000), ref: 05886908
                      • Part of subcall function 058868E0: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,058A0FCB,000000FF,?,05886A83,00000000), ref: 05886917
                      • Part of subcall function 058868E0: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,058A0FCB,000000FF,?,05886A83,00000000), ref: 05886930
                      • Part of subcall function 058868E0: CloseHandle.KERNEL32(00000000,?,00000000,058A0FCB,000000FF,?,05886A83,00000000), ref: 0588693B
                    • _memset.LIBCMT ref: 05886A92
                    • GetVersionExW.KERNEL32(?), ref: 05886AAB
                    • GetCurrentProcess.KERNEL32(00000008,?), ref: 05886AE2
                    • OpenProcessToken.ADVAPI32(00000000), ref: 05886AE9
                    • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 05886B0F
                    • GetLastError.KERNEL32 ref: 05886B19
                    • LocalAlloc.KERNEL32(00000040,?), ref: 05886B2D
                    • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 05886B55
                    • GetSidSubAuthorityCount.ADVAPI32 ref: 05886B68
                    • GetSidSubAuthority.ADVAPI32(00000000), ref: 05886B76
                    • LocalFree.KERNEL32(?), ref: 05886B85
                    • CloseHandle.KERNEL32(?), ref: 05886B92
                    • wsprintfW.USER32 ref: 05886BEB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
                    • String ID: -N/$NO/$None/%s
                    • API String ID: 3036438616-3095023699
                    • Opcode ID: 56e73aacecf82c8c91a0ba3ba016528c9de63f561481ba0ba64bc6c12dfc00cb
                    • Instruction ID: 94a4582edc6b41fc338414258ab984790c52e1a8abdcd1735db0039821cbdd6b
                    • Opcode Fuzzy Hash: 56e73aacecf82c8c91a0ba3ba016528c9de63f561481ba0ba64bc6c12dfc00cb
                    • Instruction Fuzzy Hash: 7C41A475A00218ABFB30AB65DC89FFA7B79FB49714F080095FE07D6140EA74AD94CB61
                    Function 0040CB1E Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 129COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • __EH_prolog3_GS.LIBCMT ref: 0040CB25
                      • Part of subcall function 0040EF6C: char_traits.LIBCPMT ref: 0040EF85
                      • Part of subcall function 0040C806: __EH_prolog3_GS.LIBCMT ref: 0040C810
                      • Part of subcall function 0040C806: CoInitialize.OLE32(00000000), ref: 0040C821
                      • Part of subcall function 0040C806: CoCreateInstance.COMBASE(0043AB58,00000000,00000001,0043AA88,?), ref: 0040C841
                      • Part of subcall function 0040C806: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0040C8B8
                      • Part of subcall function 0040C806: CoUninitialize.COMBASE ref: 0040C8DA
                      • Part of subcall function 0040C806: CoUninitialize.COMBASE ref: 0040C9B8
                      • Part of subcall function 0040FB5D: _memcmp.LIBVCRUNTIME ref: 0040FBB4
                      • Part of subcall function 0040C806: CoUninitialize.COMBASE ref: 0040CAE9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Uninitialize$H_prolog3_$BlanketCreateInitializeInstanceProxy_memcmpchar_traits
                    • String ID: Caption$Model$None$SerialNumber$VBOX$VMware$Virtual HD$Virtual Machine$VirtualBox$Win32_BaseBoard$Win32_DiskDrive$Win32_computersystem
                    • API String ID: 2745930265-3403752223
                    • Opcode ID: afba524459cc619bef8070b93cc53d1656c5124e5d9a5aeab20820540dee5502
                    • Instruction ID: 2c79ee3c88a6652044b09f023e0d0dd3da2de80707b64472bd0806eeba81ef43
                    • Opcode Fuzzy Hash: afba524459cc619bef8070b93cc53d1656c5124e5d9a5aeab20820540dee5502
                    • Instruction Fuzzy Hash: 4541BCA1900104EBEF10B779C8979FE7A348A96738F64033EF810772C2DA7C1D49966A
                    Function 05887480 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1257 5887480-5887496 LoadLibraryW 1258 588749c-58874aa GetProcAddress 1257->1258 1259 588758e-5887592 1257->1259 1260 58874b0-5887515 call 588f748 call 588eee4 call 5887400 1258->1260 1261 5887587-5887588 FreeLibrary 1258->1261 1269 5887522-5887526 1260->1269 1270 5887517-5887520 1260->1270 1261->1259 1271 588752b-588755b RegOpenKeyExW RegQueryValueExW 1269->1271 1270->1271 1272 588755d-588755f 1271->1272 1273 5887572-588757d RegCloseKey call 588f9b9 1271->1273 1272->1273 1274 5887561-588756f call 588fafe 1272->1274 1276 5887582-5887586 1273->1276 1274->1273 1276->1261
                    APIs
                    • LoadLibraryW.KERNEL32(ntdll.dll,75A773E0,?,?,?,0588561E,0000035E,000002FA), ref: 0588748C
                    • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 058874A2
                    • swprintf.LIBCMT ref: 058874DF
                      • Part of subcall function 05887400: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,05887513), ref: 0588742D
                      • Part of subcall function 05887400: GetProcAddress.KERNEL32(00000000), ref: 05887434
                      • Part of subcall function 05887400: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,05887513), ref: 05887442
                    • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 05887537
                    • RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 05887553
                    • RegCloseKey.KERNEL32(000002FA), ref: 05887576
                    • FreeLibrary.KERNEL32(00000000,?,?,?,0588561E,0000035E,000002FA), ref: 05887588
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
                    • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                    • API String ID: 2158625971-3190923360
                    • Opcode ID: 0ca0b9f77e96e9c2192f1394d82237c4c55d11d38ed807be0997d8d0c37ef453
                    • Instruction ID: 668f785ef5cb4569f9ebde4b18ef48ab1d8692e78891c798cc708635cd248800
                    • Opcode Fuzzy Hash: 0ca0b9f77e96e9c2192f1394d82237c4c55d11d38ed807be0997d8d0c37ef453
                    • Instruction Fuzzy Hash: DC318876A512087BEB14EBA4CC46FBF7BBCEB44740F104158BE07E6141DA759E44C7A1
                    Function 0040C523 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 191comCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 0040C52A
                    • CoInitializeEx.COMBASE(00000000,00000000), ref: 0040C536
                    • CoInitializeSecurity.COMBASE(00000000,?,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C54E
                    • CoCreateInstance.COMBASE(0043AB58,00000000,00000001,0043AA88,?), ref: 0040C572
                      • Part of subcall function 0040C466: __EH_prolog3.LIBCMT ref: 0040C46D
                      • Part of subcall function 0040C466: new.LIBCMT ref: 0040C476
                      • Part of subcall function 0040C466: SysAllocString.OLEAUT32(?), ref: 0040C497
                      • Part of subcall function 0040C466: _com_issue_error.COMSUPP ref: 0040C4AD
                    • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C5E4
                    • VariantClear.OLEAUT32(?), ref: 0040C6B9
                    • CoUninitialize.COMBASE(?,?,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C6EF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3Initialize$AllocBlanketClearCreateInstanceProxySecurityStringUninitializeVariant_com_issue_error
                    • String ID: CurrentTemperature$ROOT\WMI$SELECT * FROM MSAcpi_ThermalZoneTemperature$WQL
                    • API String ID: 55904104-758785639
                    • Opcode ID: 6b42160d87e1f121732a507b0567528ed7a655f6cb0655fd1ab74eac948b6031
                    • Instruction ID: 0c63fec1ebbd1063192dc824a3d4b9ed42997d3643afbfb779d655078e42d065
                    • Opcode Fuzzy Hash: 6b42160d87e1f121732a507b0567528ed7a655f6cb0655fd1ab74eac948b6031
                    • Instruction Fuzzy Hash: 996149B0A00219EFEB14DFA4CCD49BFB7B9EF48754B104669F511B7290CB35AD028B64
                    Function 05886760 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 05885320: InterlockedDecrement.KERNEL32(00000008), ref: 0588536F
                      • Part of subcall function 05885320: SysFreeString.OLEAUT32(00000000), ref: 05885384
                      • Part of subcall function 05885320: SysAllocString.OLEAUT32(058A5040), ref: 058853D5
                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,058A5040,05886974,058A5040,00000000,75A773E0), ref: 058867C4
                    • GetLastError.KERNEL32 ref: 058867CE
                    • GetProcessHeap.KERNEL32(00000008,?), ref: 058867E6
                    • HeapAlloc.KERNEL32(00000000), ref: 058867ED
                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0588680F
                    • LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 05886841
                    • GetLastError.KERNEL32 ref: 0588684B
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 058868B6
                    • HeapFree.KERNEL32(00000000), ref: 058868BD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
                    • String ID: NONE_MAPPED
                    • API String ID: 1317816589-2950899194
                    • Opcode ID: bf5dc519f83b6da9f2b48b3d7db9aa55ac57b19e9f29b9a8a123f493dc2a0e9a
                    • Instruction ID: 036c6066b2a107010dc07781742bc0b24e4e59bc75e010160449e3ea8b36f104
                    • Opcode Fuzzy Hash: bf5dc519f83b6da9f2b48b3d7db9aa55ac57b19e9f29b9a8a123f493dc2a0e9a
                    • Instruction Fuzzy Hash: 2B41A9B5600208ABEB20EB65DD49FBE7779EB84700F004498FE0AE7140EF745E858F65
                    Function 05886C20 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON
                    Download Yara Rule
                    APIs
                    • GetDriveTypeW.KERNEL32(?,7591DF80,00000000,75A773E0), ref: 05886C5B
                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 05886C7A
                    • _memset.LIBCMT ref: 05886CB1
                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 05886CC4
                    • swprintf.LIBCMT ref: 05886D09
                    • swprintf.LIBCMT ref: 05886D1C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
                    • String ID: %sFree%d Gb $:$@$HDD:%d
                    • API String ID: 3202570353-3501811827
                    • Opcode ID: 8eb4ba3f83888823f863952d0c16fc474f4fa607b402e173484f34f50a99334b
                    • Instruction ID: cf7b5a667cb8eb95387351fa7c362e11d12e8a4cc27f637dedf353b176bbbba1
                    • Opcode Fuzzy Hash: 8eb4ba3f83888823f863952d0c16fc474f4fa607b402e173484f34f50a99334b
                    • Instruction Fuzzy Hash: 693150B6E0020C9BEB14DFE9DC45FEEB7B9FB48700F504219E91AA7240EA746905CB90
                    Function 05886ED0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                    Download Yara Rule
                    APIs
                    • CreateDXGIFactory.DXGI(058A568C,?,A97BC7BB,7591DF80,00000000,75A773E0), ref: 05886F3A
                    • swprintf.LIBCMT ref: 0588710E
                    • std::_Xinvalid_argument.LIBCPMT ref: 058871B7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CreateFactoryXinvalid_argumentstd::_swprintf
                    • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                    • API String ID: 3803070356-257307503
                    • Opcode ID: c61a4716315564855ec2c1764d8e7929d83327d7b4b53102f8a48bcd93b4253d
                    • Instruction ID: fe0792a755e364ea0af929579a15538feea5b7e725ea9b1a1ab057ca6c2313ba
                    • Opcode Fuzzy Hash: c61a4716315564855ec2c1764d8e7929d83327d7b4b53102f8a48bcd93b4253d
                    • Instruction Fuzzy Hash: 12E15471A002259FDF24EA24CC80BFEB375FB85700F2445A9DD5AE7284D771AE818B91
                    Function 0040CEF5 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 200COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_GS.LIBCMT ref: 0040CEFF
                      • Part of subcall function 00411365: __EH_prolog3_catch.LIBCMT ref: 0041136C
                    • GetAdaptersInfo.IPHLPAPI(00000000), ref: 0040CFD3
                    • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040CFF6
                      • Part of subcall function 0040FA39: std::_Deallocate.LIBCONCRT ref: 0040FA69
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdaptersInfo$DeallocateH_prolog3_H_prolog3_catchstd::_
                    • String ID: 00-03-FF$00-05-69$00-0C-29$00-50-56$08-00-27
                    • API String ID: 140774986-3516324377
                    • Opcode ID: a8648ae8c57cef04309381a6926909f22cbb29df705be5f16881c2efe024e1c6
                    • Instruction ID: cad030cf8234abf9314854909dd205eff32562fb78da9b9eee7dc8479228d978
                    • Opcode Fuzzy Hash: a8648ae8c57cef04309381a6926909f22cbb29df705be5f16881c2efe024e1c6
                    • Instruction Fuzzy Hash: 14819A31E01258DEEB20DBA4CC41BEEBBB5AF14314F5401EAE10977282DB785E89CF65
                    Function 05887400 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,05887513), ref: 0588742D
                    • GetProcAddress.KERNEL32(00000000), ref: 05887434
                    • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,05887513), ref: 05887442
                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,05887513), ref: 0588744A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InfoSystem$AddressHandleModuleNativeProc
                    • String ID: GetNativeSystemInfo$kernel32.dll
                    • API String ID: 3433367815-192647395
                    • Opcode ID: 307934246c41b54c4f09ca5f4059dfd5ff9e5efed7556316bc4c43e8195d6835
                    • Instruction ID: 306b17d0d2e8ea921931b00b96ac0b038a86ca682260bb09dd5d3859e5d5ed76
                    • Opcode Fuzzy Hash: 307934246c41b54c4f09ca5f4059dfd5ff9e5efed7556316bc4c43e8195d6835
                    • Instruction Fuzzy Hash: 0301EC74D092099FDF50EFB495456BEBBF5EB08200F504569ED0AE3341EA3AAE508B61
                    Function 05886020 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0588604C
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 05886058
                    • Process32FirstW.KERNEL32(00000000,00000000), ref: 05886089
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 058860DF
                    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 058860E6
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                    • String ID:
                    • API String ID: 2526126748-0
                    • Opcode ID: 862717e684e8c1d2e533eb34457a48905abfdc2eb55d5748b5b147552846935d
                    • Instruction ID: 55a938b9edc3cf3c303d249df29658cdefbc8a6d4f685a65a20a25ccb91ecfb2
                    • Opcode Fuzzy Hash: 862717e684e8c1d2e533eb34457a48905abfdc2eb55d5748b5b147552846935d
                    • Instruction Fuzzy Hash: 4A2194316101189BEB20FF68AC59BFAB369FF24314F104295EC1AD7180FB31AE05C655
                    Function 0040BC8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch_GS.LIBCMT ref: 0040BC93
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040BCC5
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catch_ThrowUser
                    • String ID: @
                    • API String ID: 2496864217-2766056989
                    • Opcode ID: 2de8dc4e35383c6151940d4016f9c810659b6c960c2a302111626511353e57d0
                    • Instruction ID: ae7c116213ff3d901724b6428fc8427c71a3f9cab7b4ef2a80dbfd93885d7ade
                    • Opcode Fuzzy Hash: 2de8dc4e35383c6151940d4016f9c810659b6c960c2a302111626511353e57d0
                    • Instruction Fuzzy Hash: D511A671D0026C65DB22ABA68C89F7F6E78DF87BA0F04501FF50867141CB7C4546EEA6
                    Function 00404BBD Relevance: 3.8, APIs: 2, Instructions: 802networkCOMMON
                    Download Yara Rule
                    APIs
                    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00404F4E
                    • recv.WS2_32(?,?,00040000,00000000), ref: 004050D0
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: recvselect
                    • String ID:
                    • API String ID: 741273618-0
                    • Opcode ID: ac29f364758362306f86bd3f715e760089c0395256dff397d52ad160623d8a14
                    • Instruction ID: efe57192649d8688e423c31ea2ba61c287f9bb0601e35bcbe0f9d9de6db3ce85
                    • Opcode Fuzzy Hash: ac29f364758362306f86bd3f715e760089c0395256dff397d52ad160623d8a14
                    • Instruction Fuzzy Hash: 3B0218B79C9A8CAFF230EAC56C59B72B79CE313A37F300B33E966D26D0D66854418550
                    Function 0040BC00 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 0040BC07
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040BC20
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catchThrowUser
                    • String ID:
                    • API String ID: 1841272387-0
                    • Opcode ID: 39fda0efeca56565c6fa06b1fc5ec53f4701eb728d21d9137ee5ceea68e223a5
                    • Instruction ID: c7a0f4040fa537f1793bcdd69a76fca78c649a4b054b484e010122540f5b1e4c
                    • Opcode Fuzzy Hash: 39fda0efeca56565c6fa06b1fc5ec53f4701eb728d21d9137ee5ceea68e223a5
                    • Instruction Fuzzy Hash: 76F0BB21D4012C76DA22A7B29D8CE7F6D7CDF8BAA1F50505FF008A21408F2C4546EEFA
                    Function 0040BAA0 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch_GS.LIBCMT ref: 0040BAAA
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040BB05
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catch_ThrowUser
                    • String ID:
                    • API String ID: 2496864217-0
                    • Opcode ID: 7b59d06170d4ad62566acd0a9c4d59ccc159564280425c00108b25958848e823
                    • Instruction ID: 758e7640c992d458a83e73611db6df2efd19529b5e74a096fe474286059fe2e7
                    • Opcode Fuzzy Hash: 7b59d06170d4ad62566acd0a9c4d59ccc159564280425c00108b25958848e823
                    • Instruction Fuzzy Hash: 54011231D4022C66CB25AB618C8ABFFAE78DF46B55F00509EF108A6141CB784A459FE9
                    Function 023D6D75 Relevance: 2.2, Instructions: 2248COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3d59eba33419220fab1722354699e203160e3d14fdc26a004ab78ce9c5ec21f3
                    • Instruction ID: d7d626a57004030ac816f2d830c0f32aaa39e1c59d18c400e42b2c8c91efc9fe
                    • Opcode Fuzzy Hash: 3d59eba33419220fab1722354699e203160e3d14fdc26a004ab78ce9c5ec21f3
                    • Instruction Fuzzy Hash: AC13AE72A00255CFDB25CF68D8807ADFBB6FF49304F1481AAD859AB381D734A946CF90
                    Function 023D39F5 Relevance: 1.6, Instructions: 1603COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 557fd95e002be5ae85579bb77ed6a08b49850f2ddf8d9112cf3ddefca6f25630
                    • Instruction ID: 5050fd458292a6a9b7bf383c05c5322d7e38423eb10b8580391627bdfa2fca36
                    • Opcode Fuzzy Hash: 557fd95e002be5ae85579bb77ed6a08b49850f2ddf8d9112cf3ddefca6f25630
                    • Instruction Fuzzy Hash: 50E2DF71A00255DFDB25CF68D880BADBBF2FF49304F1481A9E949AB786D734A845CF90
                    Function 02404305 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0247674F,?,00000000), ref: 0240430F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 702c7e317ab3f53b736964da102ab380ae45d93e5f7a9feff75c1bb93bc30af3
                    • Instruction ID: d3738fe992ee4f186145fced47513772438de4ca036a9cc469de244c76204be5
                    • Opcode Fuzzy Hash: 702c7e317ab3f53b736964da102ab380ae45d93e5f7a9feff75c1bb93bc30af3
                    • Instruction Fuzzy Hash: 6A900271601900D2454071588804406600597E13013F6C115A0654564CCA188955A2A9
                    Function 0226AEAF Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID: 0-3916222277
                    • Opcode ID: 1d98501bcb5a5088169635d4871e9d7fe3341a7799f594ef6beebcf001f3873c
                    • Instruction ID: 04764a0fb4a94eb1609d06aedbfce296c3bb061d03378d940b7fba78be8cad5f
                    • Opcode Fuzzy Hash: 1d98501bcb5a5088169635d4871e9d7fe3341a7799f594ef6beebcf001f3873c
                    • Instruction Fuzzy Hash: 82015A3243424AEFCF15AFE1D90CAAE3B65EB48398F118028F806A1164D7759AA0EF11
                    Function 023D0425 Relevance: .4, Instructions: 414COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e9130d9898f645e41b3a0fceade0e7b254e8ecd59db69927599aa03c2b03ea7
                    • Instruction ID: 4a04af3c41b4d0d09238366abef598eb11aca61d96a2f1dad27c00b6cd652e7f
                    • Opcode Fuzzy Hash: 2e9130d9898f645e41b3a0fceade0e7b254e8ecd59db69927599aa03c2b03ea7
                    • Instruction Fuzzy Hash: 21F1CC71B00611DFDB29CF69D894B6AB7B6FF84704F1081A9E8169B781C734E985CF90
                    Function 023D01EA Relevance: .3, Instructions: 300COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6f51087a112ed96416a85086d81112186fb0f796a0a6a7488d17344b655bfdc8
                    • Instruction ID: 296a7496e8f11303feebaf3b5632dca6e4a0bc35272bc5c8773f316ff84f9aa4
                    • Opcode Fuzzy Hash: 6f51087a112ed96416a85086d81112186fb0f796a0a6a7488d17344b655bfdc8
                    • Instruction Fuzzy Hash: DFB12632B04655AFDB25CBAAC890BBEBBFAEF84704F15019AD5519B381CB70E941CB50
                    Function 0040D249 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 135COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • __EH_prolog3_GS.LIBCMT ref: 0040D253
                      • Part of subcall function 00411365: __EH_prolog3_catch.LIBCMT ref: 0041136C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3_H_prolog3_catch
                    • String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$JOHN-PC$John Doe$Johnson$Miller$Peter Wilson$Sandbox$Sangfor$maltest$malware$milozs$sand box$test user$timmy$user$virus
                    • API String ID: 3862090230-243956707
                    • Opcode ID: 1c66b16550f99bcd323c21c3f8f68982231fbfbce7b62f4824458308cdcb34b6
                    • Instruction ID: a740bf118985a8ba2e6b965ac6ed2a48cb7c2ed2878fac0725f1b94998e77058
                    • Opcode Fuzzy Hash: 1c66b16550f99bcd323c21c3f8f68982231fbfbce7b62f4824458308cdcb34b6
                    • Instruction Fuzzy Hash: 96513D30D01258DADB25EB60C896BDDB7346B14708F6401FEA549362C2DFB81F8CDA69
                    Function 05889E40 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 821 5889e40-5889e75 GdipGetImagePixelFormat 822 5889e7a-5889ea1 821->822 823 5889e77 821->823 824 5889eb9-5889ebf 822->824 825 5889ea3-5889eb3 822->825 823->822 826 5889edb-5889ef4 GdipGetImageHeight 824->826 827 5889ec1-5889ed1 824->827 825->824 828 5889ef9-5889f1c GdipGetImageWidth 826->828 829 5889ef6 826->829 827->826 830 5889f1e 828->830 831 5889f21-5889f3e call 5889c20 828->831 829->828 830->831 834 5889f44-5889f58 831->834 835 588a045-588a04a 831->835 836 5889f5e-5889f77 GdipGetImagePaletteSize 834->836 837 588a0bf-588a0c7 834->837 838 588a294-588a2aa call 588eefa 835->838 842 5889f79 836->842 843 5889f7c-5889f88 836->843 840 588a1fa-588a26b GdipCreateBitmapFromScan0 GdipGetImageGraphicsContext GdipDrawImageI GdipDeleteGraphics GdipDisposeImage 837->840 841 588a0cd-588a10a GdipBitmapLockBits 837->841 847 588a271-588a273 840->847 845 588a13a-588a167 841->845 846 588a10c-588a111 841->846 842->843 848 5889f8a-5889f95 call 5889640 843->848 849 5889fa2-5889faa 843->849 856 588a169-588a17e call 58906e0 845->856 857 588a1af-588a1ce GdipBitmapUnlockBits 845->857 852 588a130-588a135 846->852 853 588a113 846->853 854 588a292 847->854 855 588a275 847->855 848->849 871 5889f97-5889fa0 call 589c550 848->871 850 5889fac-5889fba call 588f563 849->850 851 5889fc0-5889fc5 call 5881280 849->851 868 5889fca-5889fd5 850->868 872 5889fbc-5889fbe 850->872 851->868 852->838 861 588a11b-588a12e call 588f529 853->861 854->838 863 588a27d-588a290 call 588f529 855->863 876 588a1f0-588a1f5 call 5881280 856->876 877 588a180-588a187 856->877 857->847 859 588a1d4-588a1d7 857->859 859->847 861->852 880 588a115 861->880 863->854 883 588a277 863->883 874 5889fd7-5889fd9 868->874 871->874 872->874 881 5889fdb-5889fdd 874->881 882 588a006-588a020 GdipGetImagePalette 874->882 876->840 877->876 884 588a1dc-588a1e1 call 5881280 877->884 885 588a18e-588a1ad 877->885 886 588a1e6-588a1eb call 5881280 877->886 880->861 892 5889ffc-588a001 881->892 893 5889fdf 881->893 888 588a02b-588a030 882->888 889 588a022-588a028 882->889 883->863 884->886 885->856 885->857 886->876 894 588a03a-588a040 call 588cbe0 888->894 895 588a032-588a038 888->895 889->888 892->838 896 5889fe7-5889ffa call 588f529 893->896 894->835 895->894 897 588a04f-588a053 895->897 896->892 905 5889fe1 896->905 900 588a090-588a0b9 call 5889d70 SetDIBColorTable call 588a310 897->900 901 588a055 897->901 900->837 903 588a058-588a088 901->903 903->903 906 588a08a 903->906 905->896 906->900
                    APIs
                    • GdipGetImagePixelFormat.GDIPLUS(Function_00009A20,?,?,00000000), ref: 05889E6B
                    • GdipGetImageHeight.GDIPLUS(Function_00009A20,?,?,00000000), ref: 05889EEC
                    • GdipGetImageWidth.GDIPLUS(Function_00009A20,?,?,00000000), ref: 05889F14
                    • GdipGetImagePaletteSize.GDIPLUS(Function_00009A20,?,?,00000000), ref: 05889F6F
                    • _malloc.LIBCMT ref: 05889FB0
                      • Part of subcall function 0588F563: __FF_MSGBANNER.LIBCMT ref: 0588F57C
                      • Part of subcall function 0588F563: __NMSG_WRITE.LIBCMT ref: 0588F583
                      • Part of subcall function 0588F563: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66), ref: 0588F5A8
                    • _free.LIBCMT ref: 05889FF0
                    • GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 0588A018
                    • SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 0588A0A7
                    • GdipBitmapLockBits.GDIPLUS(Function_00009A20,?,00000001,?,?,?,00000000), ref: 0588A102
                    • _free.LIBCMT ref: 0588A124
                    • _memcpy_s.LIBCMT ref: 0588A173
                    • GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 0588A1C0
                    • GdipCreateBitmapFromScan0.GDIPLUS(?,?,058A5968,00022009,?,00000000,?,00000000), ref: 0588A21C
                    • GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 0588A23C
                    • GdipDrawImageI.GDIPLUS(00000000,Function_00009A20,00000000,00000000,?,00000000), ref: 0588A257
                    • GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 0588A264
                    • GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 0588A26B
                    • _free.LIBCMT ref: 0588A286
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
                    • String ID: &
                    • API String ID: 640422297-3042966939
                    • Opcode ID: c36449dcc92491b5c2fe8ae4ca171e670c041e2e68d5f567d421a06bd095be62
                    • Instruction ID: 4d27251c164c17bf668210dcdb2c72aaad519b126bb2d69066d62e0b89f9b28e
                    • Opcode Fuzzy Hash: c36449dcc92491b5c2fe8ae4ca171e670c041e2e68d5f567d421a06bd095be62
                    • Instruction Fuzzy Hash: B1D192B0A002199FDB24EF54CC84BBAB7B5FF48314F0085A9EA0AE7240D774AE85CF55
                    Function 05882DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • ResetEvent.KERNEL32(?), ref: 05882DBB
                    • InterlockedExchange.KERNEL32(?,00000000), ref: 05882DC7
                    • timeGetTime.WINMM ref: 05882DCD
                    • socket.WS2_32(00000002,00000001,00000006), ref: 05882DFA
                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 05882E26
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 05882E32
                    • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 05882E51
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 05882E5D
                    • gethostbyname.WS2_32(00000000), ref: 05882E6B
                    • htons.WS2_32(?), ref: 05882E8D
                    • connect.WS2_32(?,?,00000010), ref: 05882EAB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                    • String ID: 0u
                    • API String ID: 640718063-3203441087
                    • Opcode ID: f48b57cb0070dc486c75aabcae1bf7021ab87a1e698406494c7e063f676d07c5
                    • Instruction ID: c57a5b4c5f5629cbd5cc5f10d6fe4ceb0ceee9b58e4590123bd4933dc4e4a6d0
                    • Opcode Fuzzy Hash: f48b57cb0070dc486c75aabcae1bf7021ab87a1e698406494c7e063f676d07c5
                    • Instruction Fuzzy Hash: EC617075A40304AFE720EFA4DC46FAAB7B8FF48710F104519FA56E76D0DAB0B9048B65
                    Function 0588ACF0 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 347registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 967 588acf0-588ad32 RegOpenKeyExW 968 588ad50-588ad55 967->968 969 588ad34-588ad4a RegQueryValueExW 967->969 970 588ad5b-588ad66 968->970 971 588b7b5-588b7bb 968->971 969->968 972 588b7ac-588b7b2 call 588cd40 970->972 973 588ad6c-588ad73 970->973 972->971 975 588adc1-588adc8 973->975 976 588afc3-588b07c call 588f5f7 call 5896660 call 588eee4 call 5897550 call 588f5f7 call 588ce60 call 588eee4 973->976 975->971 978 588adce-588ae00 call 588f5f7 call 5896660 975->978 1025 588b082-588b0cf call 5897550 RegCreateKeyW 976->1025 1026 588b143-588b16a call 588f919 CloseHandle 976->1026 990 588ae19-588ae25 978->990 991 588ae02-588ae16 wsprintfW 978->991 993 588ae7a-588aed1 call 588eee4 call 5897550 call 5882ba0 call 588eeef * 2 990->993 994 588ae27-588ae2b 990->994 991->990 997 588ae30-588ae3b 994->997 1000 588ae40-588ae46 997->1000 1003 588ae48-588ae4b 1000->1003 1004 588ae66-588ae68 1000->1004 1008 588ae4d-588ae55 1003->1008 1009 588ae62-588ae64 1003->1009 1005 588ae6b-588ae6d 1004->1005 1011 588ae6f-588ae78 1005->1011 1012 588aed4-588aee9 1005->1012 1008->1004 1010 588ae57-588ae60 1008->1010 1009->1005 1010->1000 1010->1009 1011->993 1011->997 1015 588aef0-588aef6 1012->1015 1018 588aef8-588aefb 1015->1018 1019 588af16-588af18 1015->1019 1022 588aefd-588af05 1018->1022 1023 588af12-588af14 1018->1023 1024 588af1b-588af1d 1019->1024 1022->1019 1028 588af07-588af10 1022->1028 1023->1024 1029 588af8e-588afc0 call 588f919 CloseHandle call 588eeef 1024->1029 1030 588af1f-588af21 1024->1030 1044 588b12b-588b140 RegCloseKey call 588f9b9 1025->1044 1045 588b0d1-588b120 call 588eee4 call 5885a00 RegDeleteValueW RegSetValueExW 1025->1045 1028->1015 1028->1023 1035 588af23-588af2e call 588eeef 1030->1035 1036 588af35-588af3c 1030->1036 1035->1036 1042 588af3e-588af49 call 588f9b9 1036->1042 1043 588af50-588af54 1036->1043 1042->1043 1046 588af65-588af89 call 588ef10 1043->1046 1047 588af56-588af5f call 588eeef 1043->1047 1044->1026 1045->1044 1063 588b122-588b128 call 588f9b9 1045->1063 1046->993 1047->1046 1063->1044
                    APIs
                    • RegOpenKeyExW.KERNELBASE ref: 0588AD2E
                    • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,80000001,00000000,?), ref: 0588AD4A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: OpenQueryValue
                    • String ID: %s_bin$Console$Console\0$IpDatespecial
                    • API String ID: 4153817207-1338088003
                    • Opcode ID: fedc5c187d2f06c3b46d88cc99732ac24f8d1d271fafd12cab3862796d9cd84e
                    • Instruction ID: f22098ec1b0e337f4b07745715215c7eed2c75ed277b1564474f4c76b6455b84
                    • Opcode Fuzzy Hash: fedc5c187d2f06c3b46d88cc99732ac24f8d1d271fafd12cab3862796d9cd84e
                    • Instruction Fuzzy Hash: 76C1BDB1600301ABE714EF28DC4AB7777A9EB94714F044529FD8ADB281E775ED04C7A2
                    Function 05886120 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 222stringcomregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1066 5886120-5886175 call 5896660 call 588ff39 1071 58861d1-58861f8 CoCreateInstance 1066->1071 1072 5886177-588617e 1066->1072 1073 58861fe-5886252 1071->1073 1074 58863f2-58863ff lstrlenW 1071->1074 1075 5886180-5886182 call 5886020 1072->1075 1083 5886258-5886272 1073->1083 1084 58863da-58863e8 1073->1084 1076 5886411-5886420 1074->1076 1077 5886401-588640b lstrcatW 1074->1077 1082 5886187-5886189 1075->1082 1080 588642a-588644a call 588eefa 1076->1080 1081 5886422-5886427 1076->1081 1077->1076 1081->1080 1086 58861ab-58861cf call 588ff39 1082->1086 1087 588618b-58861a9 lstrcatW * 2 1082->1087 1083->1084 1093 5886278-5886284 1083->1093 1084->1074 1088 58863ea-58863ef 1084->1088 1086->1071 1086->1075 1087->1086 1088->1074 1094 5886290-5886333 call 5896660 wsprintfW RegOpenKeyExW 1093->1094 1097 58863b9-58863cf 1094->1097 1098 5886339-588638a call 5896660 RegQueryValueExW 1094->1098 1100 58863d2-58863d4 1097->1100 1102 58863ac-58863b3 RegCloseKey 1098->1102 1103 588638c-58863aa lstrcatW * 2 1098->1103 1100->1084 1100->1094 1102->1097 1103->1102
                    APIs
                    • _memset.LIBCMT ref: 0588615B
                    • lstrcatW.KERNEL32(058B1F50,058A5000,?,A97BC7BB,00000AD4,00000000,75A773E0), ref: 0588619D
                    • lstrcatW.KERNEL32(058B1F50,058A524C,?,A97BC7BB,00000AD4,00000000,75A773E0), ref: 058861A9
                    • CoCreateInstance.OLE32(058A2480,00000000,00000017,058A567C,?,?,A97BC7BB,00000AD4,00000000,75A773E0), ref: 058861F0
                    • _memset.LIBCMT ref: 0588629E
                    • wsprintfW.USER32 ref: 05886306
                    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0588632F
                    • _memset.LIBCMT ref: 05886346
                      • Part of subcall function 05886020: _memset.LIBCMT ref: 0588604C
                      • Part of subcall function 05886020: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 05886058
                    Strings
                    • CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 05886300
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
                    • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}
                    • API String ID: 1221949200-4035668053
                    • Opcode ID: 89ef40b19ebad12c14fd40a855f393ca65452543db00ff410bc30849e6f54731
                    • Instruction ID: d90bbd08d52f71c261c30cfb807d21c3afebb9cb75a4c39d0a3a4677d48a027c
                    • Opcode Fuzzy Hash: 89ef40b19ebad12c14fd40a855f393ca65452543db00ff410bc30849e6f54731
                    • Instruction Fuzzy Hash: 028176B1A10268ABEB20DB55DC45FAEB7B8EB44704F044188FF09E7241E774AE80DF65
                    Function 05885F10 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 88sleepstringsynchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1163 5885f10-5885f4b CreateMutexW GetLastError 1164 5885f6b-5885f72 1163->1164 1165 5885f4d 1163->1165 1167 5885fd2-5885ffc GetModuleHandleW GetConsoleWindow call 588e3e0 1164->1167 1168 5885f74-5885f7a 1164->1168 1166 5885f50-5885f69 Sleep CreateMutexW GetLastError 1165->1166 1166->1164 1166->1166 1174 5885ffe-5886014 call 588eefa 1167->1174 1175 5886017-588601f call 588e740 1167->1175 1170 5885f80-5885fb0 call 5896660 lstrlenW call 5886d40 1168->1170 1182 5885fc2-5885fd0 Sleep 1170->1182 1183 5885fb2-5885fc0 lstrcmpW 1170->1183 1182->1167 1182->1170 1183->1167 1183->1182
                    APIs
                    • CreateMutexW.KERNEL32(00000000,00000000,058AEE04), ref: 05885F36
                    • GetLastError.KERNEL32 ref: 05885F3E
                    • Sleep.KERNEL32(000003E8), ref: 05885F55
                    • CreateMutexW.KERNEL32(00000000,00000000,058AEE04), ref: 05885F60
                    • GetLastError.KERNEL32 ref: 05885F62
                    • _memset.LIBCMT ref: 05885F89
                    • lstrlenW.KERNEL32(?), ref: 05885F96
                    • lstrcmpW.KERNEL32(?,058A5218), ref: 05885FBC
                    • Sleep.KERNEL32(000003E8), ref: 05885FC7
                    • GetModuleHandleW.KERNEL32(00000000), ref: 05885FD4
                    • GetConsoleWindow.KERNEL32 ref: 05885FDE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
                    • String ID: key$open
                    • API String ID: 2922109467-2893384115
                    • Opcode ID: 3625d7442ac34aa7d0513b7f603adf5c266089b48a5dd25bc9850ba6c1aafea8
                    • Instruction ID: c82e23c7f68ee57656f00e42b0c9fec18149a6defc36b37a15060466132804df
                    • Opcode Fuzzy Hash: 3625d7442ac34aa7d0513b7f603adf5c266089b48a5dd25bc9850ba6c1aafea8
                    • Instruction Fuzzy Hash: 1E21E136654304ABE620FB64AC46F6A7798EB84700F100929FE46D71C0EF74BD08CAA3
                    Function 0040C806 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 238comCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1184 40c806-40c849 call 418d30 CoInitialize CoCreateInstance 1187 40c8da-40c8e2 CoUninitialize 1184->1187 1188 40c84f-40c86d call 40c466 1184->1188 1189 40cb00-40cb1d call 40fa39 call 40f82d call 418cda 1187->1189 1194 40c873 1188->1194 1195 40c86f-40c871 1188->1195 1197 40c875-40c89d 1194->1197 1195->1197 1201 40c8a4-40c8a6 1197->1201 1202 40c89f call 40c4db 1197->1202 1205 40c8a8-40c8c0 CoSetProxyBlanket 1201->1205 1206 40c8ce-40c8d5 1201->1206 1202->1201 1207 40c8c2-40c8c9 1205->1207 1208 40c8e7-40c944 call 410a2b call 40c40c * 2 1205->1208 1206->1187 1207->1206 1215 40c946-40c948 1208->1215 1216 40c94a 1208->1216 1217 40c94c-40c950 1215->1217 1216->1217 1218 40c952-40c954 1217->1218 1219 40c956 1217->1219 1220 40c958-40c97c 1218->1220 1219->1220 1222 40c989-40c995 1220->1222 1223 40c97e-40c983 call 40c4db 1220->1223 1225 40c997 call 40c4db 1222->1225 1226 40c99c-40c99e 1222->1226 1223->1222 1225->1226 1227 40c9a0-40c9c0 CoUninitialize 1226->1227 1228 40c9c5-40c9cb 1226->1228 1238 40caf2-40cafb call 40fa39 1227->1238 1231 40cab7-40cabf 1228->1231 1233 40c9d0-40c9ef 1231->1233 1234 40cac5-40caf1 CoUninitialize 1231->1234 1233->1234 1239 40c9f5-40ca26 VariantInit 1233->1239 1234->1238 1238->1189 1244 40ca28-40ca42 call 40ff76 1239->1244 1245 40ca9e-40cab2 VariantClear 1239->1245 1247 40ca47-40ca90 call 4205b4 call 409db7 call 40f05c 1244->1247 1245->1231 1247->1245 1254 40ca92-40ca9d call 41dd97 1247->1254 1254->1245
                    APIs
                    • __EH_prolog3_GS.LIBCMT ref: 0040C810
                    • CoInitialize.OLE32(00000000), ref: 0040C821
                    • CoCreateInstance.COMBASE(0043AB58,00000000,00000001,0043AA88,?), ref: 0040C841
                    • CoUninitialize.COMBASE ref: 0040C8DA
                      • Part of subcall function 0040C466: __EH_prolog3.LIBCMT ref: 0040C46D
                      • Part of subcall function 0040C466: new.LIBCMT ref: 0040C476
                      • Part of subcall function 0040C466: SysAllocString.OLEAUT32(?), ref: 0040C497
                      • Part of subcall function 0040C466: _com_issue_error.COMSUPP ref: 0040C4AD
                    • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0040C8B8
                    • CoUninitialize.COMBASE ref: 0040C9B8
                      • Part of subcall function 0040FA39: std::_Deallocate.LIBCONCRT ref: 0040FA69
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Uninitialize$AllocBlanketCreateDeallocateH_prolog3H_prolog3_InitializeInstanceProxyString_com_issue_errorstd::_
                    • String ID: ROOT\CIMV2$SELECT * FROM $WQL
                    • API String ID: 115743266-1972049189
                    • Opcode ID: 8f7339e58dd4261f4a7628e53cd33fd972a00d9235bbcc0f996b60dd26809251
                    • Instruction ID: 9520bbf863120fca48183976df3bb85adcecea4f5cebccfa541607eded1f5bf3
                    • Opcode Fuzzy Hash: 8f7339e58dd4261f4a7628e53cd33fd972a00d9235bbcc0f996b60dd26809251
                    • Instruction Fuzzy Hash: E9914EB1A01218DFDB60DB54CC94BAAB778EF44304F1441EDF60AA7291CB789E85CF68
                    Function 0588BFC0 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GlobalAlloc.KERNEL32(00000002,?,A97BC7BB,?,00000000,?), ref: 0588BFFE
                    • GlobalLock.KERNEL32(00000000), ref: 0588C00A
                    • GlobalUnlock.KERNEL32(00000000), ref: 0588C01F
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0588C035
                    • EnterCriticalSection.KERNEL32(058AFBA4), ref: 0588C073
                    • LeaveCriticalSection.KERNEL32(058AFBA4), ref: 0588C084
                      • Part of subcall function 05889DD0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 05889DF4
                      • Part of subcall function 05889DD0: GdipDisposeImage.GDIPLUS(?), ref: 05889E08
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0588C0AC
                      • Part of subcall function 0588A450: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0588A47D
                      • Part of subcall function 0588A450: _free.LIBCMT ref: 0588A4F3
                    • GetHGlobalFromStream.OLE32(?,?), ref: 0588C0CD
                    • GlobalLock.KERNEL32(?), ref: 0588C0D7
                    • GlobalFree.KERNEL32(00000000), ref: 0588C0EF
                      • Part of subcall function 05889B90: DeleteObject.GDI32(?), ref: 05889BC2
                      • Part of subcall function 05889B90: EnterCriticalSection.KERNEL32(058AFBA4,?,?,?,05889B6B), ref: 05889BD3
                      • Part of subcall function 05889B90: EnterCriticalSection.KERNEL32(058AFBA4,?,?,?,05889B6B), ref: 05889BE8
                      • Part of subcall function 05889B90: GdiplusShutdown.GDIPLUS(00000000,?,?,?,05889B6B), ref: 05889BF4
                      • Part of subcall function 05889B90: LeaveCriticalSection.KERNEL32(058AFBA4,?,?,?,05889B6B), ref: 05889C05
                      • Part of subcall function 05889B90: LeaveCriticalSection.KERNEL32(058AFBA4,?,?,?,05889B6B), ref: 05889C0C
                    • GlobalSize.KERNEL32(00000000), ref: 0588C105
                    • GlobalUnlock.KERNEL32(?), ref: 0588C181
                    • GlobalFree.KERNEL32(00000000), ref: 0588C1A9
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
                    • String ID:
                    • API String ID: 1483550337-0
                    • Opcode ID: 02f24c96ac09ba8599252c6e5038bf99a5ce0a523dc0b7e3645a484449ac7329
                    • Instruction ID: 83af5278806502ac5ab95936d6ee2288b8432f56e788872b4d6935e273e3ce50
                    • Opcode Fuzzy Hash: 02f24c96ac09ba8599252c6e5038bf99a5ce0a523dc0b7e3645a484449ac7329
                    • Instruction Fuzzy Hash: C6613EB5D10218AFDB10EFA8D8899AEBBB9FF48710F104129F916E7240DB34AD05CF61
                    Function 05886460 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 05886492
                    • RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 058864B2
                    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 058864F4
                    • _memset.LIBCMT ref: 05886530
                    • _memset.LIBCMT ref: 0588655E
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75A773E0), ref: 0588658A
                    • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75A773E0), ref: 05886593
                    • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75A773E0), ref: 058865A5
                    • RegCloseKey.ADVAPI32(?,00000000,00000AD4,75A773E0), ref: 058865F5
                    • lstrlenW.KERNEL32(?), ref: 05886605
                    Strings
                    • Software\Tencent\Plugin\VAS, xrefs: 058864A8
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
                    • String ID: Software\Tencent\Plugin\VAS
                    • API String ID: 2921034913-3343197220
                    • Opcode ID: 033f929b5e8de9d5d4a4379c0c527886ce83545d6b97052b3fea82b3e1e082db
                    • Instruction ID: 7f31921823b8325ee211bc6f062f69b5f85bf9d283635e28db9996dccff4a460
                    • Opcode Fuzzy Hash: 033f929b5e8de9d5d4a4379c0c527886ce83545d6b97052b3fea82b3e1e082db
                    • Instruction Fuzzy Hash: A84175F5B40219ABDB34EB54DD85FFA7378EF44600F0041A9FB0AF6041EA70AE858B64
                    Function 05886286 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 125stringregistryCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0588629E
                    • wsprintfW.USER32 ref: 05886306
                    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0588632F
                    • _memset.LIBCMT ref: 05886346
                    • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 05886382
                    • lstrcatW.KERNEL32(058B1F50,?), ref: 0588639E
                    • lstrcatW.KERNEL32(058B1F50,058A524C), ref: 058863AA
                    • RegCloseKey.ADVAPI32(00000000), ref: 058863B3
                    • lstrlenW.KERNEL32(058B1F50,?,A97BC7BB,00000AD4,00000000,75A773E0), ref: 058863F7
                    • lstrcatW.KERNEL32(058B1F50,058A52C4,?,A97BC7BB,00000AD4,00000000,75A773E0), ref: 0588640B
                    Strings
                    • CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 05886300
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
                    • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}
                    • API String ID: 1671694837-4035668053
                    • Opcode ID: 4299ebcab87ec35440688f7ac7ea0f08dc06c30897b97d4772c3229076a2c4c7
                    • Instruction ID: 861d6d39278a83e2d57fec7ccc8342bf29c1db019cd8c17143d1209115b1f3f0
                    • Opcode Fuzzy Hash: 4299ebcab87ec35440688f7ac7ea0f08dc06c30897b97d4772c3229076a2c4c7
                    • Instruction Fuzzy Hash: 194186B16002689ADB34DB55CC55FFEB7B8EF48704F0441C8FB49A6281EA746E80DF64
                    Function 0040B1D4 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 435COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 0040B1DB
                    • new.LIBCMT ref: 0040B24B
                      • Part of subcall function 004028D1: __EH_prolog3_catch_GS.LIBCMT ref: 004028DB
                      • Part of subcall function 004028D1: __CxxThrowException@8.LIBVCRUNTIME ref: 00402979
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040B418
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$H_prolog3_catchH_prolog3_catch_
                    • String ID: 103.199.100.130$103.199.100.97$103.199.100.97$5$8080$8080$B
                    • API String ID: 98217301-1444392773
                    • Opcode ID: 47d9daeef4d3209eae45cbf431f718fe92535ce3f45df06c6634c580522dc4f8
                    • Instruction ID: 627e5c4fc20fcd7c1fea17cce080d21d0ef25ac72cdc71b494a25d7dfd5891bf
                    • Opcode Fuzzy Hash: 47d9daeef4d3209eae45cbf431f718fe92535ce3f45df06c6634c580522dc4f8
                    • Instruction Fuzzy Hash: CC91B515886E6C69D23673614C8DAFE745DDFA331BF112337E891D0261CF6C064789AE
                    Function 0588A450 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON
                    Download Yara Rule
                    APIs
                    • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0588A47D
                    • _malloc.LIBCMT ref: 0588A4C1
                    • _free.LIBCMT ref: 0588A4F3
                    • GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 0588A512
                    • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 0588A584
                    • GdipDisposeImage.GDIPLUS(00000000), ref: 0588A58F
                    • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0588A5B5
                    • GdipDisposeImage.GDIPLUS(00000000), ref: 0588A5CD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
                    • String ID: &
                    • API String ID: 2794124522-3042966939
                    • Opcode ID: b8cd744a4e6f2ecfa4c9f8d86c4c978c5cef488862564e82a96d1ee346f02ef9
                    • Instruction ID: 56ee18491bbf6febf45e28fb39d2393fb82e518e11e115bcb60a426a041d958e
                    • Opcode Fuzzy Hash: b8cd744a4e6f2ecfa4c9f8d86c4c978c5cef488862564e82a96d1ee346f02ef9
                    • Instruction Fuzzy Hash: 7E516371A002199FDB14EFE4D8489FEB7B9FF48210F044119ED06E7290D734AD45CBA1
                    Function 00408269 Relevance: 13.9, APIs: 2, Strings: 5, Instructions: 1690COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004085C9
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8ThrowUser
                    • String ID: !jWW$45748404e431b11b2e469590a2b52759$Console\0$e${vU_
                    • API String ID: 2513928553-1001513282
                    • Opcode ID: 769aa0166993147af42cec2fe8af969429d5ea3364c3d6662663f521f31a9749
                    • Instruction ID: ae781606f217e08613b33236576e902dbc81fd8844841d1b591bdced9623e9f0
                    • Opcode Fuzzy Hash: 769aa0166993147af42cec2fe8af969429d5ea3364c3d6662663f521f31a9749
                    • Instruction Fuzzy Hash: 92822ABB989A8CBFF120E6C56C69B72B75CE313A37F301B37F966C2790D65854418190
                    Function 0588C9B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,058A11E8,A97BC7BB,00000000,00000001,00000000), ref: 0588C9F1
                    • RegQueryInfoKeyW.ADVAPI32(058A11E8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0588CA20
                    • _memset.LIBCMT ref: 0588CA84
                    • _memset.LIBCMT ref: 0588CA93
                    • RegEnumValueW.ADVAPI32(058A11E8,?,00000000,?,00000000,?,00000000,?), ref: 0588CAB2
                      • Part of subcall function 0588F5F7: _malloc.LIBCMT ref: 0588F611
                      • Part of subcall function 0588F5F7: std::exception::exception.LIBCMT ref: 0588F646
                      • Part of subcall function 0588F5F7: std::exception::exception.LIBCMT ref: 0588F660
                      • Part of subcall function 0588F5F7: __CxxThrowException@8.LIBCMT ref: 0588F671
                    • RegCloseKey.KERNEL32(058A11E8,?,?,?,?,?,?,?,?,?,?,?,00000000,058A11E8,000000FF), ref: 0588CBC3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
                    • String ID: Console\0
                    • API String ID: 1348767993-1253790388
                    • Opcode ID: 41ff215e1124148a01459551826dc3768356eca6d3b015f98aa727f57ce45cb6
                    • Instruction ID: c1cc88c77a7eaf00d1d54dec53b4975ba83c14241244f9ead1e98e41b4be1fad
                    • Opcode Fuzzy Hash: 41ff215e1124148a01459551826dc3768356eca6d3b015f98aa727f57ce45cb6
                    • Instruction Fuzzy Hash: 8E610EB1E00219AFDB04DFA8D885EAEB7B9FB48310F144569F915E7245DB34AD01CBA1
                    Function 0588BA60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0588F5F7: _malloc.LIBCMT ref: 0588F611
                    • _memset.LIBCMT ref: 0588BA81
                    • GetLastInputInfo.USER32(?), ref: 0588BA97
                    • GetTickCount.KERNEL32 ref: 0588BA9D
                    • wsprintfW.USER32 ref: 0588BAC6
                    • GetForegroundWindow.USER32 ref: 0588BACF
                    • GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 0588BAE3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
                    • String ID: %d min
                    • API String ID: 3754759880-1947832151
                    • Opcode ID: e47a666aa1fff42558902caec9aafa6910c53e06ce8384b44f986e506981b66f
                    • Instruction ID: 982a287622272e2253245a0ef471600f7c91aa37e36ebefad49096e9c189a3ad
                    • Opcode Fuzzy Hash: e47a666aa1fff42558902caec9aafa6910c53e06ce8384b44f986e506981b66f
                    • Instruction Fuzzy Hash: 16419575A00214ABDB10EFA8D889EAF7BB9EF44710F088154FD09DB355E674AE44CBE1
                    Function 058868E0 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcessId.KERNEL32(A97BC7BB,00000000,00000000,75A773E0,?,00000000,058A0FCB,000000FF,?,05886A83,00000000), ref: 05886908
                    • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,058A0FCB,000000FF,?,05886A83,00000000), ref: 05886917
                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,058A0FCB,000000FF,?,05886A83,00000000), ref: 05886930
                    • CloseHandle.KERNEL32(00000000,?,00000000,058A0FCB,000000FF,?,05886A83,00000000), ref: 0588693B
                    • SysStringLen.OLEAUT32(00000000), ref: 0588698E
                    • SysStringLen.OLEAUT32(00000000), ref: 0588699C
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,058A0FCB,000000FF), ref: 058869FE
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,058A0FCB,000000FF), ref: 05886A04
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CloseHandleProcess$OpenString$CurrentToken
                    • String ID:
                    • API String ID: 429299433-0
                    • Opcode ID: 89de22e83b943be4c849e33e2d6c64ee930d67a827cbf8e1fa17166462622584
                    • Instruction ID: 6cba2885662d272f23960d76827f0e45103af7c0add6e43cb0514d8f6fa1646d
                    • Opcode Fuzzy Hash: 89de22e83b943be4c849e33e2d6c64ee930d67a827cbf8e1fa17166462622584
                    • Instruction Fuzzy Hash: 6141D572E402189BDB10EFA9CD85ABEF7F8FB94710F144515ED26E7240EB756D008BA1
                    Function 0040E21F Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch_GS.LIBCMT ref: 0040E229
                      • Part of subcall function 0040DC56: __EH_prolog3_GS.LIBCMT ref: 0040DC5D
                      • Part of subcall function 0040DC56: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040DD4A
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E24D
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_H_prolog3_catch_ThrowUnothrow_t@std@@@User__ehfuncinfo$??2@
                    • String ID: !!$!!!$c$v4:%d
                    • API String ID: 3962320563-2754867093
                    • Opcode ID: 123bfd44f6b178990913d7ba7eec121d4a56842681cc32fe6126031ba21ad18d
                    • Instruction ID: 7bc45ed4ea60eb1dafc130ecb2d4e3acd60c322b16c83d1f4977d11e0af54f6d
                    • Opcode Fuzzy Hash: 123bfd44f6b178990913d7ba7eec121d4a56842681cc32fe6126031ba21ad18d
                    • Instruction Fuzzy Hash: 6E31C826A91B5C2BF20577A24CCEB3C551CEB7270BF06132BF596D60E0CD744E438969
                    Function 05886D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 05886DB5
                    • RegOpenKeyExW.KERNEL32(80000001,AppEvents,00000000,00020019,?,000008CC,00000000), ref: 05886DD9
                    • RegQueryValueExW.KERNEL32(?,?,00000000,00000001,?,00000208), ref: 05886E2F
                    • lstrcmpW.KERNEL32(?,058A5040), ref: 05886E45
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: OpenQueryValue_memsetlstrcmp
                    • String ID: AppEvents
                    • API String ID: 3592097068-2318512526
                    • Opcode ID: de3af7c41fefb7c7c5d17c2bebdfafdeee3a45ff1fa9add4cbfd54bd1cc47056
                    • Instruction ID: 8ef5d5ab1d56787f1f6b1cbc5189919b4230383f7e759436dcfb0de21cc52b5d
                    • Opcode Fuzzy Hash: de3af7c41fefb7c7c5d17c2bebdfafdeee3a45ff1fa9add4cbfd54bd1cc47056
                    • Instruction Fuzzy Hash: B2415771901218ABDB34DF95DC8DBAEB7B9FB48720F104299E81AD6240E7749E80CF50
                    Function 0588F919 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                    Download Yara Rule
                    APIs
                    • ___set_flsgetvalue.LIBCMT ref: 0588F93E
                    • __calloc_crt.LIBCMT ref: 0588F94A
                    • __getptd.LIBCMT ref: 0588F957
                    • CreateThread.KERNEL32(00000000,00000000,0588F8B4,00000000,00000000,0588DF63), ref: 0588F98E
                    • GetLastError.KERNEL32(?,?,00000000,?,0588DF63,00000000,00000000,05885F10,00000000,00000000,00000000), ref: 0588F998
                    • _free.LIBCMT ref: 0588F9A1
                    • __dosmaperr.LIBCMT ref: 0588F9AC
                      • Part of subcall function 0588F80B: __getptd_noexit.LIBCMT ref: 0588F80B
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                    • String ID:
                    • API String ID: 155776804-0
                    • Opcode ID: 8289d086db4b80bd071c4e45121d5c603356cb4af59ca7539bbf362fe17a5bc5
                    • Instruction ID: f1a15479247385f022bea20d2b669d5e9425667226feb894b26ded1d38d06a13
                    • Opcode Fuzzy Hash: 8289d086db4b80bd071c4e45121d5c603356cb4af59ca7539bbf362fe17a5bc5
                    • Instruction Fuzzy Hash: 1011E53320470A7FEB25BFA89C89DBB3BD9EF44724B140429FE15C6150EB30DC1186A2
                    Function 0588F8B4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                    Download Yara Rule
                    APIs
                    • ___set_flsgetvalue.LIBCMT ref: 0588F8BA
                      • Part of subcall function 05893B90: TlsGetValue.KERNEL32(00000000,05893CE9,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66,00000000,00000000), ref: 05893B99
                      • Part of subcall function 05893B90: DecodePointer.KERNEL32(?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66,00000000,00000000,?,05893DF6,0000000D), ref: 05893BAB
                      • Part of subcall function 05893B90: TlsSetValue.KERNEL32(00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66,00000000,00000000,?,05893DF6), ref: 05893BBA
                    • ___fls_getvalue@4.LIBCMT ref: 0588F8C5
                      • Part of subcall function 05893B70: TlsGetValue.KERNEL32(?,?,0588F8CA,00000000), ref: 05893B7E
                    • ___fls_setvalue@8.LIBCMT ref: 0588F8D8
                      • Part of subcall function 05893BC4: DecodePointer.KERNEL32(?,?,?,0588F8DD,00000000,?,00000000), ref: 05893BD5
                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 0588F8E1
                    • ExitThread.KERNEL32 ref: 0588F8E8
                    • GetCurrentThreadId.KERNEL32 ref: 0588F8EE
                    • __freefls@4.LIBCMT ref: 0588F90E
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                    • String ID:
                    • API String ID: 2383549826-0
                    • Opcode ID: 157cf1c78a7b0e67af081e8f79e417568dd13551f135eb8534a40c18d2ff61f5
                    • Instruction ID: 748d45850f81617e4c13d8aeed25529b2dbfbc86b1fd6911ea68e2fb4bafebb2
                    • Opcode Fuzzy Hash: 157cf1c78a7b0e67af081e8f79e417568dd13551f135eb8534a40c18d2ff61f5
                    • Instruction Fuzzy Hash: 94F01274600341AFDB1CBF79C90DD2E7BA9EE442547248958BD05C7211EE35DD81CBA2
                    Function 0040824C Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 652COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3_catch
                    • String ID: 45748404e431b11b2e469590a2b52759$Console\0$e
                    • API String ID: 3886170330-629985466
                    • Opcode ID: 50b706e70de4de0f723b4fc6144bbfa0a3f8de438d2a5a090e821d549b0ec00b
                    • Instruction ID: 968056f4663a5bf7a65357fed2d1c67a8e8a13bed8e7e62878ac9812bb02e024
                    • Opcode Fuzzy Hash: 50b706e70de4de0f723b4fc6144bbfa0a3f8de438d2a5a090e821d549b0ec00b
                    • Instruction Fuzzy Hash: 54E1F8BB989A8CAFF130E6C56C69B72B79CE313A37F301B37F966D1790DA1954018190
                    Function 0040CDBF Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 115COMMON
                    Download Yara Rule
                    APIs
                    • D3D11CreateDevice.D3D11(00000000,00000001,00000000,00000000,00000000,00000000,00000007,?,?,?), ref: 0040CE00
                    • CreateDXGIFactory.DXGI(00445420,?), ref: 0040CE35
                      • Part of subcall function 00410818: __EH_prolog3_catch.LIBCMT ref: 0041081F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$DeviceFactoryH_prolog3_catch
                    • String ID: @TD$Failed to create D3D11 device.$Failed to create DXGI factory.
                    • API String ID: 2844046087-104575095
                    • Opcode ID: 3b112c7fb986bae99d802b6b302170207aff9a7d46dbf808f79ee2335c3de06f
                    • Instruction ID: ce3aecbf7d2233ee4cf59cfa48850e23a3f411b985804bfd3dd35abd15130d05
                    • Opcode Fuzzy Hash: 3b112c7fb986bae99d802b6b302170207aff9a7d46dbf808f79ee2335c3de06f
                    • Instruction Fuzzy Hash: 0B315B71204201AFC710DF65C888A6BBBE9FF89754F104A2EF45ACB251DB34D845CBA6
                    Function 05886660 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 0588666B
                    • CoCreateInstance.OLE32(058A46FC,00000000,00000001,058A471C,?,?,?,?,?,?,?,?,?,?,05885863), ref: 05886682
                    • SysFreeString.OLEAUT32(?), ref: 0588671C
                    • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,05885863), ref: 0588674D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CreateFreeInitializeInstanceStringUninitialize
                    • String ID: FriendlyName
                    • API String ID: 841178590-3623505368
                    • Opcode ID: bdd290b281525eb7dea48cdaefd579bbfb6cfd4e4f4c7764e11cf01bb19fcf79
                    • Instruction ID: 4cfb3ee129f686c46cc86e42fefb7a6d3d56ba7b73125c73093e266a5fb756e5
                    • Opcode Fuzzy Hash: bdd290b281525eb7dea48cdaefd579bbfb6cfd4e4f4c7764e11cf01bb19fcf79
                    • Instruction Fuzzy Hash: DA312F75710205AFDB10DB99DC81EAAB7B9EFC9704F148194F905EB250DBB1ED41CB60
                    Function 0588F5F7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                    Download Yara Rule
                    APIs
                    • _malloc.LIBCMT ref: 0588F611
                      • Part of subcall function 0588F563: __FF_MSGBANNER.LIBCMT ref: 0588F57C
                      • Part of subcall function 0588F563: __NMSG_WRITE.LIBCMT ref: 0588F583
                      • Part of subcall function 0588F563: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66), ref: 0588F5A8
                    • std::exception::exception.LIBCMT ref: 0588F646
                    • std::exception::exception.LIBCMT ref: 0588F660
                    • __CxxThrowException@8.LIBCMT ref: 0588F671
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                    • String ID: bad allocation
                    • API String ID: 615853336-2104205924
                    • Opcode ID: 177bcb30f68e19706f6f85410b1e856c78460265dbacec3f013bc988d2ad2c21
                    • Instruction ID: 5d5dfe5623242728e35dd81c7c6619509b4315858bf1f0b5d6c164cd1d91f100
                    • Opcode Fuzzy Hash: 177bcb30f68e19706f6f85410b1e856c78460265dbacec3f013bc988d2ad2c21
                    • Instruction Fuzzy Hash: 06F0F975A0430966FF04FB59D829A7E3ABAFF40654F140004EF11E5190EB709E05CF51
                    Function 0040BDC1 Relevance: 7.6, APIs: 5, Instructions: 111COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 0040BDC8
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040BDF3
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    • GetCursorPos.USER32(?), ref: 0040BE34
                    • GetCursorPos.USER32(?), ref: 0040BE44
                    • GetCursorPos.USER32(?), ref: 0040BE4F
                      • Part of subcall function 0040BD45: __EH_prolog3_catch.LIBCMT ref: 0040BD4C
                      • Part of subcall function 0040BD45: __CxxThrowException@8.LIBVCRUNTIME ref: 0040BD65
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Cursor$Exception@8H_prolog3_catchThrow$DispatcherExceptionUser
                    • String ID:
                    • API String ID: 2186074414-0
                    • Opcode ID: 051f3c0c323beada23aad27c6c4bd549df6de3e9425fdc20355bf109c3b9770e
                    • Instruction ID: 7b536314480e95965393dee5022c960bc3ec5933b6f9912406064fe6e91dc01d
                    • Opcode Fuzzy Hash: 051f3c0c323beada23aad27c6c4bd549df6de3e9425fdc20355bf109c3b9770e
                    • Instruction Fuzzy Hash: 00318D72C0030C6ACF22BBB19C45DEFBA7DEF99350F016656F51172052DB3999508AA8
                    Function 05882D30 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 05882D5C
                    • CancelIo.KERNEL32(?), ref: 05882D66
                    • InterlockedExchange.KERNEL32(00000000,00000000), ref: 05882D6F
                    • closesocket.WS2_32(?), ref: 05882D79
                    • SetEvent.KERNEL32(00000001), ref: 05882D83
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                    • String ID:
                    • API String ID: 1486965892-0
                    • Opcode ID: c404973424fc2d9ff67aeaee8bb5e6091ae0b0a5ea594f3a67726dd0caa4697b
                    • Instruction ID: 7c160c39ff21d9f72542aeecdde0dba25e81efe5e090ee2c9e21b1981c1ff0b4
                    • Opcode Fuzzy Hash: c404973424fc2d9ff67aeaee8bb5e6091ae0b0a5ea594f3a67726dd0caa4697b
                    • Instruction Fuzzy Hash: 7CF03179110704AFD3349F54DD49B667BF8FB49B11F10061DFA9396680DAB0B9048B90
                    Function 00407875 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 503COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 0040787C
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00407A51
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8H_prolog3_catchThrow
                    • String ID: IpDates_info$SOFTWARE
                    • API String ID: 1118002619-2243437601
                    • Opcode ID: 874d002dc55d2f8a31b6f6f44f3816a83acad443a15d5fc6b426ee4f48164aa1
                    • Instruction ID: 10e9237137a0567be675d0e40c5e67b37cf8aa5439e9b3662b6fba5421a2e3f4
                    • Opcode Fuzzy Hash: 874d002dc55d2f8a31b6f6f44f3816a83acad443a15d5fc6b426ee4f48164aa1
                    • Instruction Fuzzy Hash: 6CB1D67B9CAA8CAFF120E6C56C6DB72B75CE313A3BF201B33F966D16D0DA5854018154
                    Function 0040B4AC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040B418
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8ThrowUser
                    • String ID: 103.199.100.97$5$8080
                    • API String ID: 2513928553-3308959486
                    • Opcode ID: 1c2419a10260abf028730e2b63b76b65c8f5b56ae5cfa0932e6f0868f0440fc4
                    • Instruction ID: 491107047e45d6097c320fcffd7296d0947ab78874c78590a837ce98dcb5e82d
                    • Opcode Fuzzy Hash: 1c2419a10260abf028730e2b63b76b65c8f5b56ae5cfa0932e6f0868f0440fc4
                    • Instruction Fuzzy Hash: 2D11C615C41A1C26D23673614C8DBFE696CDBA7B1BF10222BF891D1261CF2C054799EA
                    Function 0040788F Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 486COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00407A51
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw
                    • String ID: IpDates_info$SOFTWARE
                    • API String ID: 2005118841-2243437601
                    • Opcode ID: 5b98d0d7d1d6b75b75b1fe1b5808de0115f83000fc6395c6cfb3cfa07b2229d6
                    • Instruction ID: c5bc4179376dd7b189c07d8aa7ddaa88292b5f9c2d1760f246e8fa44e7a49247
                    • Opcode Fuzzy Hash: 5b98d0d7d1d6b75b75b1fe1b5808de0115f83000fc6395c6cfb3cfa07b2229d6
                    • Instruction Fuzzy Hash: 1CA1F6BB989A8CBFF120E6C56C69B72B79CE313A3BF301B33F966D16D0DA5814018154
                    Function 0040BFE0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 212COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch_GS.LIBCMT ref: 0040BFEA
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C02D
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                      • Part of subcall function 0040EF6C: char_traits.LIBCPMT ref: 0040EF85
                      • Part of subcall function 0040BEE3: __EH_prolog3_catch.LIBCMT ref: 0040BEEA
                      • Part of subcall function 0040BEE3: __CxxThrowException@8.LIBVCRUNTIME ref: 0040BF3D
                      • Part of subcall function 0040F82D: std::_Deallocate.LIBCONCRT ref: 0040F85D
                      • Part of subcall function 00410A2B: __EH_prolog3.LIBCMT ref: 00410A32
                      • Part of subcall function 0040FA39: std::_Deallocate.LIBCONCRT ref: 0040FA69
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeallocateException@8Throwstd::_$DispatcherExceptionH_prolog3H_prolog3_catchH_prolog3_catch_Userchar_traits
                    • String ID: C:\Users\
                    • API String ID: 1189702893-773679268
                    • Opcode ID: fa24dc5e13bb1faadbffbb8d8e08a101af343b1da8a32206841914c27c868cfc
                    • Instruction ID: 579beb7774ef81d81f54cc86b884fe02d13e32e5f7928c4170b2804dc7836af2
                    • Opcode Fuzzy Hash: fa24dc5e13bb1faadbffbb8d8e08a101af343b1da8a32206841914c27c868cfc
                    • Instruction Fuzzy Hash: 07512171900128AAD731A7618CD8EFF6E7CEF96754F4041BEF009A1091CF781E86DEA5
                    Function 00402503 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 0040250A
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00402569
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catchThrowUser
                    • String ID: ?
                    • API String ID: 1841272387-1684325040
                    • Opcode ID: be633443fca854b8a6801f576492c5d81f4b54105de0b2c41f056ad151ac7f69
                    • Instruction ID: af8992980a6b85c46003d11c26060e63a31c8a0de1cd2ad6dff2200a9b5e7270
                    • Opcode Fuzzy Hash: be633443fca854b8a6801f576492c5d81f4b54105de0b2c41f056ad151ac7f69
                    • Instruction Fuzzy Hash: 4D312777989B48AFE320DB859C59F73B7ACE306B36F204B3BF516D2780C76854008690
                    Function 00407E37 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 00407E3E
                      • Part of subcall function 00402503: __EH_prolog3_catch.LIBCMT ref: 0040250A
                      • Part of subcall function 00402503: __CxxThrowException@8.LIBVCRUNTIME ref: 00402569
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00407EB0
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8H_prolog3_catchThrow$DispatcherExceptionUser
                    • String ID: ,
                    • API String ID: 1909432332-3772416878
                    • Opcode ID: 1a1d2add909aebd2b6f8ab4aee3e04c869c340dfe42bb6eda9b530e565984e8d
                    • Instruction ID: 68a7cc2c8cc175f887444c34314a3a5935ec1bb89bbdc42fe844f187ed75860a
                    • Opcode Fuzzy Hash: 1a1d2add909aebd2b6f8ab4aee3e04c869c340dfe42bb6eda9b530e565984e8d
                    • Instruction Fuzzy Hash: 04214C77989A4CAFF720EBC59859BB6B7A8E31273BF300B37F855D6290C77844418194
                    Function 004028D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch_GS.LIBCMT ref: 004028DB
                      • Part of subcall function 00401337: __EH_prolog3_catch.LIBCMT ref: 0040133E
                      • Part of subcall function 00401337: __CxxThrowException@8.LIBVCRUNTIME ref: 004013A1
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00402979
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$DispatcherExceptionH_prolog3_catchH_prolog3_catch_User
                    • String ID: %
                    • API String ID: 3938975101-2567322570
                    • Opcode ID: b1b3c2fcf86f81c222246e9ca72806171ba81e01a31bb5471524e53a41b72fe3
                    • Instruction ID: c9f0add260b14b006c40b488b30b8be75c4a589c2e11b926704216346cae6e44
                    • Opcode Fuzzy Hash: b1b3c2fcf86f81c222246e9ca72806171ba81e01a31bb5471524e53a41b72fe3
                    • Instruction Fuzzy Hash: AB3159B2844B88AFE320DF858C55BA6F7E8F716726F204B6FE856D27C0C7B855008A45
                    Function 00403382 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch_GS.LIBCMT ref: 00403389
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004033EA
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catch_ThrowUser
                    • String ID: T
                    • API String ID: 2496864217-3187964512
                    • Opcode ID: 87d6251b5da49ad2f934743c30d6550920393f05051bcb7d0b3a2ca311411567
                    • Instruction ID: 12613343b11007ba840df2cc38af007157d100582f555deff79d08e98271834c
                    • Opcode Fuzzy Hash: 87d6251b5da49ad2f934743c30d6550920393f05051bcb7d0b3a2ca311411567
                    • Instruction Fuzzy Hash: 0E210877889A8CAFE310EAC59C99BB6B7ACE31663BF200B37E552D22D0C77804018550
                    Function 0040DB3E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3_
                    • String ID: @TD$Failed to retrieve SMBIOS data.
                    • API String ID: 2427045233-3072738943
                    • Opcode ID: 2791b63c62851ca5110f69857475545b464a158cc474895fdd1d1006a71bb654
                    • Instruction ID: 26e134bd895d06ac0eff5e9b2d60050664a9375fc38ee0122e915127dce4fd49
                    • Opcode Fuzzy Hash: 2791b63c62851ca5110f69857475545b464a158cc474895fdd1d1006a71bb654
                    • Instruction Fuzzy Hash: 3731F571A041109ADB10ABF68C45AEFBB38AF55354F10003FF405772C2DEBC5989C6A8
                    Function 00402009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 00402010
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00402069
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                      • Part of subcall function 00401D5A: __EH_prolog3_catch.LIBCMT ref: 00401D61
                      • Part of subcall function 00401D5A: __CxxThrowException@8.LIBVCRUNTIME ref: 00401DBA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8H_prolog3_catchThrow$DispatcherExceptionUser
                    • String ID: !
                    • API String ID: 1909432332-2657877971
                    • Opcode ID: f0b57cc09cccfd552b82e856e81fe43e9980225237bade98c31005282472936e
                    • Instruction ID: 17bc1d38ccccf9da31e2b97f15685a9a0674ec7319e75f6fc75b70c0bd949b75
                    • Opcode Fuzzy Hash: f0b57cc09cccfd552b82e856e81fe43e9980225237bade98c31005282472936e
                    • Instruction Fuzzy Hash: 871129B7988648AFE320E7C59C59BB6B7ACE306B3AF304B37F515D63C0D76854018294
                    Function 0040CCB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3_
                    • String ID: ,WD$TEMP
                    • API String ID: 2427045233-2441283989
                    • Opcode ID: a02e88b0b9070ec293d8bea5835d348d6de8d0262300830da3c741e07e951c4f
                    • Instruction ID: 8a1d809d1ef78157a82ba2e099721d3f64ab7d2ff48e7a80826bf373777e0975
                    • Opcode Fuzzy Hash: a02e88b0b9070ec293d8bea5835d348d6de8d0262300830da3c741e07e951c4f
                    • Instruction Fuzzy Hash: EE21E371500224DBDB249B318C84AEFBA789F19314F10427FF842B61C2DB3C4A86C6AC
                    Function 0040BB46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch_GS.LIBCMT ref: 0040BB4D
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040BB6D
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                      • Part of subcall function 0040BAA0: __EH_prolog3_catch_GS.LIBCMT ref: 0040BAAA
                      • Part of subcall function 0040BAA0: __CxxThrowException@8.LIBVCRUNTIME ref: 0040BB05
                      • Part of subcall function 0040ED81: __EH_prolog3.LIBCMT ref: 0040ED88
                      • Part of subcall function 0040ED81: std::locale::_Init.LIBCPMT ref: 0040EDA4
                      • Part of subcall function 00411257: __EH_prolog3.LIBCMT ref: 00411261
                      • Part of subcall function 0040FA39: std::_Deallocate.LIBCONCRT ref: 0040FA69
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8H_prolog3H_prolog3_catch_Throw$DeallocateDispatcherExceptionInitUserstd::_std::locale::_
                    • String ID: ^C:\\[A-Za-z0-9_]+
                    • API String ID: 934996010-2490631579
                    • Opcode ID: b89e39eb0490dcd7d7ce70d72413b2139c062432dbd937802cec89452050380c
                    • Instruction ID: 76440841934ae42911752f9e8910e75b57d9bd6d59572f3fa326fa0c95d1bc6f
                    • Opcode Fuzzy Hash: b89e39eb0490dcd7d7ce70d72413b2139c062432dbd937802cec89452050380c
                    • Instruction Fuzzy Hash: 4C116030E41109EBDB04EB95C892BEDB374EF14304F90806EE111771C2D7B86A49CBA8
                    Function 00403D6C Relevance: 5.2, APIs: 3, Instructions: 695networkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: gethostbyname
                    • String ID:
                    • API String ID: 930432418-0
                    • Opcode ID: 17db0f7cee2588996764523463c2b98cc7b4e320836cab16ca05546324b50a4c
                    • Instruction ID: 3420f69c6643b25b588e24b998e6d2c6baab0e9dfe01738a8529c0a17f5b4746
                    • Opcode Fuzzy Hash: 17db0f7cee2588996764523463c2b98cc7b4e320836cab16ca05546324b50a4c
                    • Instruction Fuzzy Hash: ECE1E9B7999A8CBFF220EAC56C69B72B79CE317A7BF200B37F966C17D0D61454018150
                    Function 05883160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 0588316B
                    • InterlockedExchange.KERNEL32(?,00000001), ref: 05883183
                    • GetCurrentThreadId.KERNEL32 ref: 0588322F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CurrentThread$ExchangeInterlocked
                    • String ID:
                    • API String ID: 4033114805-0
                    • Opcode ID: 42a463b901d826cd9bc78c07d94b5ff22a558c7162191c7c05a2b96b06a150c7
                    • Instruction ID: 1c2bd49267fe883546ee2f8044dac745d99b97b2bef9174ec36ca4944c7e412c
                    • Opcode Fuzzy Hash: 42a463b901d826cd9bc78c07d94b5ff22a558c7162191c7c05a2b96b06a150c7
                    • Instruction Fuzzy Hash: 913136742006069FD728EF69C988A7AB7A5FF44B15B10C92DEC5ACB615DB31FC42CB90
                    Function 058811B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                    Download Yara Rule
                    APIs
                    • __floor_pentium4.LIBCMT ref: 058811E9
                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 05881226
                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 05881255
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Virtual$AllocFree__floor_pentium4
                    • String ID:
                    • API String ID: 2605973128-0
                    • Opcode ID: 236cb0df7a15ea95606ce99af45d05e2167be51be06c4593bec2fd5590c3a3db
                    • Instruction ID: fef2e3fe75d24c2a9090e13477c94de26ec1e66e360905195f7efd52a035a0b3
                    • Opcode Fuzzy Hash: 236cb0df7a15ea95606ce99af45d05e2167be51be06c4593bec2fd5590c3a3db
                    • Instruction Fuzzy Hash: 29217F75B00709ABDB14AFA9D84AB6EFBF4EF40705F008569EC59D2640EB30BC50C744
                    Function 05881100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                    Download Yara Rule
                    APIs
                    • __floor_pentium4.LIBCMT ref: 0588112F
                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0588115F
                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 05881192
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Virtual$AllocFree__floor_pentium4
                    • String ID:
                    • API String ID: 2605973128-0
                    • Opcode ID: 24be8b7ece68146da563316d21e7cfeb9f766002830924940dee198cb3da59ab
                    • Instruction ID: a213d4275c5ef1d6c33dc2d94b89bc30c7ae89b540a22eb974bf5bfdaff26e0a
                    • Opcode Fuzzy Hash: 24be8b7ece68146da563316d21e7cfeb9f766002830924940dee198cb3da59ab
                    • Instruction Fuzzy Hash: 61117274A10705ABDB10AFA9D886B6EFBF8FF04705F008469ED59D2640EA70A950C750
                    Function 05889DD0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                    Download Yara Rule
                    APIs
                    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 05889DF4
                    • GdipDisposeImage.GDIPLUS(?), ref: 05889E08
                    • GdipDisposeImage.GDIPLUS(?), ref: 05889E2B
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Gdip$DisposeImage$BitmapCreateFromStream
                    • String ID:
                    • API String ID: 800915452-0
                    • Opcode ID: d42acf8c949d6876404ff5011557904af78d3a6ca368fd9a6f111bae0abe85f1
                    • Instruction ID: bbf59382056ebc51f8eec316ae7ed1026db1df167b6968fcdfeade1e38d11c57
                    • Opcode Fuzzy Hash: d42acf8c949d6876404ff5011557904af78d3a6ca368fd9a6f111bae0abe85f1
                    • Instruction Fuzzy Hash: 40F0A475A00219A78B20EF98D8448BFBBB8FB45611B00415AFD46F7300DB709E09CBD1
                    Function 05889AB0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(058AFBA4), ref: 05889ACC
                    • GdiplusStartup.GDIPLUS(058AFBA0,?,?), ref: 05889B05
                    • LeaveCriticalSection.KERNEL32(058AFBA4), ref: 05889B16
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterGdiplusLeaveStartup
                    • String ID:
                    • API String ID: 389129658-0
                    • Opcode ID: b667acd012e2e5f4ccf066896680de5ee756f28f5b3a47a370734d43b1d35dae
                    • Instruction ID: 374a3ac8007c1adfc0621e9fb6c8355a2b4f6874c9ab7d5f63a9df01211756f6
                    • Opcode Fuzzy Hash: b667acd012e2e5f4ccf066896680de5ee756f28f5b3a47a370734d43b1d35dae
                    • Instruction Fuzzy Hash: 06F096396412099FFB10AF90E86B7FBBBF8F704305F500199EE05D2240DB761945CB91
                    Function 0588F854 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                    Download Yara Rule
                    APIs
                    • __getptd_noexit.LIBCMT ref: 0588F859
                      • Part of subcall function 05893CD2: GetLastError.KERNEL32(00000001,00000000,0588F810,0588F5EC,00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66), ref: 05893CD6
                      • Part of subcall function 05893CD2: ___set_flsgetvalue.LIBCMT ref: 05893CE4
                      • Part of subcall function 05893CD2: __calloc_crt.LIBCMT ref: 05893CF8
                      • Part of subcall function 05893CD2: DecodePointer.KERNEL32(00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66,00000000,00000000,?,05893DF6), ref: 05893D12
                      • Part of subcall function 05893CD2: GetCurrentThreadId.KERNEL32 ref: 05893D28
                      • Part of subcall function 05893CD2: SetLastError.KERNEL32(00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66,00000000,00000000,?,05893DF6), ref: 05893D40
                    • __freeptd.LIBCMT ref: 0588F863
                      • Part of subcall function 05893E94: TlsGetValue.KERNEL32(?,?,05890FE0,00000000,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05893EB5
                      • Part of subcall function 05893E94: TlsGetValue.KERNEL32(?,?,05890FE0,00000000,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05893EC7
                      • Part of subcall function 05893E94: DecodePointer.KERNEL32(00000000,?,05890FE0,00000000,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05893EDD
                      • Part of subcall function 05893E94: __freefls@4.LIBCMT ref: 05893EE8
                      • Part of subcall function 05893E94: TlsSetValue.KERNEL32(00000021,00000000,?,05890FE0,00000000,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05893EFA
                    • ExitThread.KERNEL32 ref: 0588F86C
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                    • String ID:
                    • API String ID: 4224061863-0
                    • Opcode ID: 0476b9d76573518b57458645e33c4a2d900b7647b0228173ad8c02818d1d41c4
                    • Instruction ID: ae90e45ad89d955fa6d72a45269a0599c230d260a9895591416c0bdaa9e7bfee
                    • Opcode Fuzzy Hash: 0476b9d76573518b57458645e33c4a2d900b7647b0228173ad8c02818d1d41c4
                    • Instruction Fuzzy Hash: 6FC04C252047056B9F693776D90E91B7A5D9D802517580424BD16C5450EE68EC51C591
                    Function 00404459 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                    Download Yara Rule
                    APIs
                    • setsockopt.WS2_32(?,0000FFFF,00001006,00007530,00000004), ref: 004044F8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: setsockopt
                    • String ID: 0u
                    • API String ID: 3981526788-3203441087
                    • Opcode ID: 2ec25f9e855f01c84e2c1c84fd174d171f9bc3c3dea4bd620a6f1bba0b7cb63e
                    • Instruction ID: 64a7f87d9de9356d5e1512be59539b78a0242b11c1a43f0dc5c3ff17c1536ee9
                    • Opcode Fuzzy Hash: 2ec25f9e855f01c84e2c1c84fd174d171f9bc3c3dea4bd620a6f1bba0b7cb63e
                    • Instruction Fuzzy Hash: D321DBB7989A8CBFF220E6C96C59FB2B79CE317A37F200B33F566D26D0D65454414150
                    Function 00402525 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00402569
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8ThrowUser
                    • String ID: ?
                    • API String ID: 2513928553-1684325040
                    • Opcode ID: d0231abb252f7106d999a84c14e1b2eea359a30ac76ad482a171f5f9517c7e1e
                    • Instruction ID: 9962193b77ff82c32004584eb7a5168ce0267ddf037ef70ac147005707e08246
                    • Opcode Fuzzy Hash: d0231abb252f7106d999a84c14e1b2eea359a30ac76ad482a171f5f9517c7e1e
                    • Instruction Fuzzy Hash: D221F8B7988B48AFE220DBC59C59F73BBECE306A32F204B37F516D2790D66854008590
                    Function 00404462 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118COMMON
                    Download Yara Rule
                    APIs
                    • setsockopt.WS2_32(?,0000FFFF,00001006,00007530,00000004), ref: 004044F8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: setsockopt
                    • String ID: 0u
                    • API String ID: 3981526788-3203441087
                    • Opcode ID: 57ca7a072de2ed18f1e3ba61e8e1f80e23f743b5dba62e109dd568f5606d826b
                    • Instruction ID: df1abba1ea3ee45a4b30b4b0efb1a0f8eef6a57142bb947dd8c6bfd902225f66
                    • Opcode Fuzzy Hash: 57ca7a072de2ed18f1e3ba61e8e1f80e23f743b5dba62e109dd568f5606d826b
                    • Instruction Fuzzy Hash: 96210AB7988A88BFF220E6C96C69F72779CE306A37F300B33F666D26D0D65854018150
                    Function 00404541 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    • setsockopt.WS2_32(?,0000FFFF,00000008,?), ref: 0040455B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: setsockopt
                    • String ID: ^
                    • API String ID: 3981526788-1590793086
                    • Opcode ID: 11cd5256ade67e317f33362be2a8db927069440fc6fa32aa94354572500e2a79
                    • Instruction ID: 48cdc7f5c70a7e3abc7cae44bb3e34536eddf169e82be26ccf0a2b487289459a
                    • Opcode Fuzzy Hash: 11cd5256ade67e317f33362be2a8db927069440fc6fa32aa94354572500e2a79
                    • Instruction Fuzzy Hash: F821F5B7988B4CAFF720DAC59C99BB6BBACE306B26F200737E915D62D0D77840418640
                    Function 0040339A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004033EA
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8ThrowUser
                    • String ID: T
                    • API String ID: 2513928553-3187964512
                    • Opcode ID: 65cb8cd847f7b591314e5732bae563f49c534b62ee740015a9a6c406e8a2a20d
                    • Instruction ID: c8534ef946fb98b9fb9741ef752f2d98087b0be08feae6552eed4e090f179c80
                    • Opcode Fuzzy Hash: 65cb8cd847f7b591314e5732bae563f49c534b62ee740015a9a6c406e8a2a20d
                    • Instruction Fuzzy Hash: CE11E9B7889A8CAFE310EAC59C99B7677ACE316A3BF300B37E552D22D0C37804058550
                    Function 00401658 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004015FC
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                      • Part of subcall function 0040194B: __EH_prolog3_catch.LIBCMT ref: 00401952
                      • Part of subcall function 0040194B: __CxxThrowException@8.LIBVCRUNTIME ref: 004019AB
                      • Part of subcall function 00401AB9: __EH_prolog3_catch.LIBCMT ref: 00401AC0
                      • Part of subcall function 00401AB9: __CxxThrowException@8.LIBVCRUNTIME ref: 00401B19
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$H_prolog3_catch$DispatcherExceptionUser
                    • String ID: S
                    • API String ID: 1529331208-543223747
                    • Opcode ID: ca0ed306f8fa36f6d853eeafd4e370bfce1951623856e4dc6e5acd4e27a55a19
                    • Instruction ID: 3398e1a75d19d0947390e72e0f243b3760cb84173d611f923f4ac05ad618cb73
                    • Opcode Fuzzy Hash: ca0ed306f8fa36f6d853eeafd4e370bfce1951623856e4dc6e5acd4e27a55a19
                    • Instruction Fuzzy Hash: F11108B7949648AFE220E6C59C69F76B3ACE306B36F204B37E516D27D0C73854018550
                    Function 00401668 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004015FC
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                      • Part of subcall function 0040194B: __EH_prolog3_catch.LIBCMT ref: 00401952
                      • Part of subcall function 0040194B: __CxxThrowException@8.LIBVCRUNTIME ref: 004019AB
                      • Part of subcall function 00401AB9: __EH_prolog3_catch.LIBCMT ref: 00401AC0
                      • Part of subcall function 00401AB9: __CxxThrowException@8.LIBVCRUNTIME ref: 00401B19
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$H_prolog3_catch$DispatcherExceptionUser
                    • String ID: S
                    • API String ID: 1529331208-543223747
                    • Opcode ID: 5de438ec38938960e911c989a667b8d571a55fda99dde5b6cd31afab71bd85f9
                    • Instruction ID: 811d75084cc2afbc1176e07fa2c92146d0a86461eba8b5b3cd2127f380c1243d
                    • Opcode Fuzzy Hash: 5de438ec38938960e911c989a667b8d571a55fda99dde5b6cd31afab71bd85f9
                    • Instruction Fuzzy Hash: 0B1102B7988A88AFE210E6C69C65F66B3ACE305B36F204B37F516D26D0D63C54018690
                    Function 00402025 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00402069
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                      • Part of subcall function 00401D5A: __EH_prolog3_catch.LIBCMT ref: 00401D61
                      • Part of subcall function 00401D5A: __CxxThrowException@8.LIBVCRUNTIME ref: 00401DBA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$DispatcherExceptionH_prolog3_catchUser
                    • String ID: !
                    • API String ID: 4275536761-2657877971
                    • Opcode ID: 383dbd838330131de09e5ce676752096658c0ffd69670b6849b3c1839085ea0a
                    • Instruction ID: 223cb2ed7e661e47eeaff321a66ea6261fbe39dd794d82501610d7a2db39b4ec
                    • Opcode Fuzzy Hash: 383dbd838330131de09e5ce676752096658c0ffd69670b6849b3c1839085ea0a
                    • Instruction Fuzzy Hash: 861148B7988748AFE220E7C59C69F6277ACE306B35F304F37F616D63C0D26854018190
                    Function 004053F3 Relevance: 3.2, APIs: 2, Instructions: 229timeCOMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00405480
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    • timeGetTime.WINMM ref: 004055D4
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8ThrowTimeUsertime
                    • String ID:
                    • API String ID: 3406684975-0
                    • Opcode ID: 8bf632c6fc6ab888d7330dbb03045e0a41f7cd4f98b2188270bc014d28ba6444
                    • Instruction ID: 4f5f671991000db5e23d4cbf4c0a50735e15c195ad0698e7cb3a1719dc032d44
                    • Opcode Fuzzy Hash: 8bf632c6fc6ab888d7330dbb03045e0a41f7cd4f98b2188270bc014d28ba6444
                    • Instruction Fuzzy Hash: 6F512D77888B8CAFE320EAC59C59B76B7ACE316B37F200B37E556D22D0C77854418690
                    Function 00404275 Relevance: 3.2, APIs: 2, Instructions: 216COMMON
                    Download Yara Rule
                    APIs
                    • setsockopt.WS2_32(?,0000FFFF,00001001,00040000,00000004), ref: 00404357
                    • setsockopt.WS2_32(?,0000FFFF,00001002,00040000,00000004), ref: 004043F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: setsockopt
                    • String ID:
                    • API String ID: 3981526788-0
                    • Opcode ID: 960f4ca0e59693487a3a96dbe32bdfff4b2b2cd3dd8f0bf4438264e2b4c5a794
                    • Instruction ID: fddf6e3b4ac1b3c1ff349376bf80a6be98797cddeec1d76f344daa4e2a97487e
                    • Opcode Fuzzy Hash: 960f4ca0e59693487a3a96dbe32bdfff4b2b2cd3dd8f0bf4438264e2b4c5a794
                    • Instruction Fuzzy Hash: 9D41D7B79C9A8CBFF220E6C56C59B72B79CE317A3BF204B33F962D26D0D66454018550
                    Function 0040427E Relevance: 3.2, APIs: 2, Instructions: 207COMMON
                    Download Yara Rule
                    APIs
                    • setsockopt.WS2_32(?,0000FFFF,00001001,00040000,00000004), ref: 00404357
                    • setsockopt.WS2_32(?,0000FFFF,00001002,00040000,00000004), ref: 004043F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: setsockopt
                    • String ID:
                    • API String ID: 3981526788-0
                    • Opcode ID: 5814d8cc007d1c83be4714993ac71439f6d860807f9e96dc756286c175bda606
                    • Instruction ID: 6496c5a105f67301ab278f820404743f632b65aa9403c342606c08f9235e8254
                    • Opcode Fuzzy Hash: 5814d8cc007d1c83be4714993ac71439f6d860807f9e96dc756286c175bda606
                    • Instruction Fuzzy Hash: 5641DAB79C9A8C7FF220E6C56C59F72B79CE316A3BF204B33F962D26D0D66454018550
                    Function 05883360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Time_memmovetime
                    • String ID:
                    • API String ID: 1463837790-0
                    • Opcode ID: 5a6f0daadccfdc51fa3b4c3b12dad84326209c8819e6cb4363274ebb9f464c2a
                    • Instruction ID: c6864fed878d32a092c64298b3227035c3be205a39021e07fa409a817799b4e5
                    • Opcode Fuzzy Hash: 5a6f0daadccfdc51fa3b4c3b12dad84326209c8819e6cb4363274ebb9f464c2a
                    • Instruction Fuzzy Hash: C751BB72700205AFD711EE69C8C4A7AB7AAFF94A147148A6CED1ADB700DB30FC41CB90
                    Function 0040155F Relevance: 3.1, APIs: 2, Instructions: 126COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 00401566
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004015FC
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                      • Part of subcall function 0040194B: __EH_prolog3_catch.LIBCMT ref: 00401952
                      • Part of subcall function 0040194B: __CxxThrowException@8.LIBVCRUNTIME ref: 004019AB
                      • Part of subcall function 00401AB9: __EH_prolog3_catch.LIBCMT ref: 00401AC0
                      • Part of subcall function 00401AB9: __CxxThrowException@8.LIBVCRUNTIME ref: 00401B19
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8H_prolog3_catchThrow$DispatcherExceptionUser
                    • String ID:
                    • API String ID: 1909432332-0
                    • Opcode ID: 5149fa856a0395b8a5a63d2a57ea0a96386f33a18f50b2f8085278bdaff77415
                    • Instruction ID: f34c89d5b8cb1b2927071957f23081b73250a4d6d92962cee6002b194feaf5b2
                    • Opcode Fuzzy Hash: 5149fa856a0395b8a5a63d2a57ea0a96386f33a18f50b2f8085278bdaff77415
                    • Instruction Fuzzy Hash: 9E310CB7989A8CAFE220E6C55C55FB6B7ACE306B36F300B37F516D27D0D72854018190
                    Function 00401337 Relevance: 3.1, APIs: 2, Instructions: 111COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 0040133E
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004013A1
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catchThrowUser
                    • String ID:
                    • API String ID: 1841272387-0
                    • Opcode ID: 7bcbc2341318f0be3fc3e479d69a680518d283c9b7ba04cba39951af487da58d
                    • Instruction ID: c7bc97929b2ba8a89c5762af2199561234cf26633e00258494d7f3dece0c91b6
                    • Opcode Fuzzy Hash: 7bcbc2341318f0be3fc3e479d69a680518d283c9b7ba04cba39951af487da58d
                    • Instruction Fuzzy Hash: CE213AB798AA4CAFE320EA855C55BB2F7ACE31373BF305737E515D6390CB2550028550
                    Function 0040BEE3 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 0040BEEA
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040BF3D
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catchThrowUser
                    • String ID:
                    • API String ID: 1841272387-0
                    • Opcode ID: 53ed5e1a12d8fe7e7c38122a07c8297069b615a077add51c106c3663b2c81edd
                    • Instruction ID: 1a0b96cc3a998007a1eb4402417b60683fd925bd8ac75d198e4a7710b51ac139
                    • Opcode Fuzzy Hash: 53ed5e1a12d8fe7e7c38122a07c8297069b615a077add51c106c3663b2c81edd
                    • Instruction Fuzzy Hash: 9131FA70900219AED721AF669C88D7FBEBDEF86764B10042EF404A7250CB785D45DEFA
                    Function 004027FE Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 00402805
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040285E
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catchThrowUser
                    • String ID:
                    • API String ID: 1841272387-0
                    • Opcode ID: fdfedf63033aee9b8c97155ed098b0020affd4bdfc44d2c16da10399c93aab8f
                    • Instruction ID: 2588b1279e6270a7440988bd04a8a6f54f54ea4613f9d21b63665e2ec0b03905
                    • Opcode Fuzzy Hash: fdfedf63033aee9b8c97155ed098b0020affd4bdfc44d2c16da10399c93aab8f
                    • Instruction Fuzzy Hash: F721387798474CAFE720EBC4D859BB6B7A8E706B3AF304A37E415D63C0D77844418690
                    Function 05882FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                    Download Yara Rule
                    APIs
                    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 05883043
                    • recv.WS2_32(?,?,00040000,00000000), ref: 05883064
                      • Part of subcall function 0588F80B: __getptd_noexit.LIBCMT ref: 0588F80B
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: __getptd_noexitrecvselect
                    • String ID:
                    • API String ID: 4248608111-0
                    • Opcode ID: b0c712a2a26100d26f5dfa3bf6e686e482efa5cfd9837144bba8aa8e4ea34557
                    • Instruction ID: 7ef9bc4abbbf616b1baab6e43ddff645d4813709a1056bb29af0c705fcb4c02d
                    • Opcode Fuzzy Hash: b0c712a2a26100d26f5dfa3bf6e686e482efa5cfd9837144bba8aa8e4ea34557
                    • Instruction Fuzzy Hash: 6F2181706043189FDF20BF68CC49BB677A4EF04710F140994ED05EB190DAB0AD85CBA2
                    Function 0040C25B Relevance: 3.1, APIs: 2, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch_GS.LIBCMT ref: 0040C262
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C29F
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                      • Part of subcall function 0040FA39: std::_Deallocate.LIBCONCRT ref: 0040FA69
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeallocateDispatcherExceptionException@8H_prolog3_catch_ThrowUserstd::_
                    • String ID:
                    • API String ID: 170170546-0
                    • Opcode ID: 5c2cc91d5385ab337b35d654ab0a91e9128b34a27ff32cd322a483362cb4cf85
                    • Instruction ID: 360c8f84779fdead0fc0ad8b389c4da751a175b1c16ff25dcd2ce2adb5e19af8
                    • Opcode Fuzzy Hash: 5c2cc91d5385ab337b35d654ab0a91e9128b34a27ff32cd322a483362cb4cf85
                    • Instruction Fuzzy Hash: 7E111231D40128A6DB21A7B69C89FBF6E38EF86B60F50412FF114760C08F7C5546EEA6
                    Function 05883260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                    Download Yara Rule
                    APIs
                    • send.WS2_32(?,?,00040000,00000000), ref: 05883291
                    • send.WS2_32(?,?,?,00000000), ref: 058832CE
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: send
                    • String ID:
                    • API String ID: 2809346765-0
                    • Opcode ID: 7ca8e27eecf8a0e8401a5da1018426036067da864ab42236731c4c9b316c8a24
                    • Instruction ID: 9c8652b905c54d60fdefe1a00ca3ab5675cd093c058bf7e46b5503967d4f2f04
                    • Opcode Fuzzy Hash: 7ca8e27eecf8a0e8401a5da1018426036067da864ab42236731c4c9b316c8a24
                    • Instruction Fuzzy Hash: 14114872B05304B7D720DA2EDC89B6EBB98FB41765F104825FD0DD7280DB70AC418250
                    Function 058830E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: SleepTimetime
                    • String ID:
                    • API String ID: 346578373-0
                    • Opcode ID: 7234701df53972d8ad5d21835bb1794bea6104bbe3a993d664636980542a0faf
                    • Instruction ID: 46886982d48c2e314a247132d1e9eb5cfe1ad889a9f60680fa23d4a23ba30477
                    • Opcode Fuzzy Hash: 7234701df53972d8ad5d21835bb1794bea6104bbe3a993d664636980542a0faf
                    • Instruction Fuzzy Hash: A401BC39244206AFD311EF28CCC8B79B7A6FB99B01F144624E90587290CB31BDC6C7D1
                    Function 0040BD45 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 0040BD4C
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040BD65
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catchThrowUser
                    • String ID:
                    • API String ID: 1841272387-0
                    • Opcode ID: 0781529f1884889c8c5f33fe4d4b84b7696d880079f5f7635e13c4264ea732bd
                    • Instruction ID: a7d4cb33f4c24b0cec264d0deaec169705958f490ff2fb92e1fc918a86c985c4
                    • Opcode Fuzzy Hash: 0781529f1884889c8c5f33fe4d4b84b7696d880079f5f7635e13c4264ea732bd
                    • Instruction Fuzzy Hash: 82F09C31D6070E9EDB02DEB4C856B9D7778AF19390F50D31BB004F7181EB7495819B55
                    Function 0588E370 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNEL32(00000000,00000000,0588DE70,00000000,00000000,00000000), ref: 0588E38B
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,05891058,?,?,?,?,?,?,058A6188,0000000C,05891100,?), ref: 0588E399
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CreateObjectSingleThreadWait
                    • String ID:
                    • API String ID: 1891408510-0
                    • Opcode ID: 643e78817577dc660d4f1ed9a3deeb8225d6c5be52765fda58917c066a148750
                    • Instruction ID: 534bb265604de7aadcfbcadeecba6108d3635f0d09569d44ad7c0d61541dadcd
                    • Opcode Fuzzy Hash: 643e78817577dc660d4f1ed9a3deeb8225d6c5be52765fda58917c066a148750
                    • Instruction Fuzzy Hash: EEE012B0414245BFEF10BB64AC89D363BDCE314310B200211FC25C6290DA74BC80C720
                    Function 0588F873 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • __getptd.LIBCMT ref: 0588F87F
                      • Part of subcall function 05893D4B: __getptd_noexit.LIBCMT ref: 05893D4E
                      • Part of subcall function 05893D4B: __amsg_exit.LIBCMT ref: 05893D5B
                      • Part of subcall function 0588F854: __getptd_noexit.LIBCMT ref: 0588F859
                      • Part of subcall function 0588F854: __freeptd.LIBCMT ref: 0588F863
                      • Part of subcall function 0588F854: ExitThread.KERNEL32 ref: 0588F86C
                    • __XcptFilter.LIBCMT ref: 0588F8A0
                      • Part of subcall function 0589407D: __getptd_noexit.LIBCMT ref: 05894083
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                    • String ID:
                    • API String ID: 418257734-0
                    • Opcode ID: 8c2d57116dd5f9afefbe8c3302532b32e0022e333825c90242f9e2a9195df864
                    • Instruction ID: 33eb6e39909d51dbc25074349ecf49bfcf2d2f2f80ace60b6d419549557b721b
                    • Opcode Fuzzy Hash: 8c2d57116dd5f9afefbe8c3302532b32e0022e333825c90242f9e2a9195df864
                    • Instruction Fuzzy Hash: C7E0ECB1A007009FEF5CFBA4C859E7D7B65EF54705F240088E9019B2B1DB799D45DA22
                    Function 058962F3 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __lock.LIBCMT ref: 0589630B
                      • Part of subcall function 05898D4B: __mtinitlocknum.LIBCMT ref: 05898D61
                      • Part of subcall function 05898D4B: __amsg_exit.LIBCMT ref: 05898D6D
                      • Part of subcall function 05898D4B: EnterCriticalSection.KERNEL32(00000000,00000000,?,05893DF6,0000000D,058A6230,00000008,05893EED,00000000,?,05890FE0,00000000,058A6168,00000008,05891045,?), ref: 05898D75
                    • __tzset_nolock.LIBCMT ref: 0589631C
                      • Part of subcall function 05895C12: __lock.LIBCMT ref: 05895C34
                      • Part of subcall function 05895C12: ____lc_codepage_func.LIBCMT ref: 05895C7B
                      • Part of subcall function 05895C12: __getenv_helper_nolock.LIBCMT ref: 05895C9D
                      • Part of subcall function 05895C12: _free.LIBCMT ref: 05895CD4
                      • Part of subcall function 05895C12: _strlen.LIBCMT ref: 05895CDB
                      • Part of subcall function 05895C12: __malloc_crt.LIBCMT ref: 05895CE2
                      • Part of subcall function 05895C12: _strlen.LIBCMT ref: 05895CF8
                      • Part of subcall function 05895C12: _strcpy_s.LIBCMT ref: 05895D06
                      • Part of subcall function 05895C12: __invoke_watson.LIBCMT ref: 05895D1B
                      • Part of subcall function 05895C12: _free.LIBCMT ref: 05895D2A
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                    • String ID:
                    • API String ID: 1828324828-0
                    • Opcode ID: 701ab96d12712c2a87cefde1a80281e5a1fd15d6cb7ea5f118217178bd8c0d21
                    • Instruction ID: 279bba8f2ec58f19ad18ba1c9ba676a44e9bc4a79b5de0130f0bbc01f20caf6a
                    • Opcode Fuzzy Hash: 701ab96d12712c2a87cefde1a80281e5a1fd15d6cb7ea5f118217178bd8c0d21
                    • Instruction Fuzzy Hash: 99E0CD30A41311D9EE197BEE550951F7B70FFE1B11F5C0149AC80D50C0DD740D429653
                    Function 05886EA9 Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCloseKey.ADVAPI32(?,05886E87), ref: 05886EB6
                    • RegCloseKey.ADVAPI32(?), ref: 05886EBF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Close
                    • String ID:
                    • API String ID: 3535843008-0
                    • Opcode ID: d1b038988b87d4fcb31c093f9e3bc8af48a5d9af618205fdb370c07b4858a3a6
                    • Instruction ID: d625461c225fe0e879b148be58fa8f7baada91aabe368c82d88bdc729e367383
                    • Opcode Fuzzy Hash: d1b038988b87d4fcb31c093f9e3bc8af48a5d9af618205fdb370c07b4858a3a6
                    • Instruction Fuzzy Hash: A6C09B72D1103857CF10D7A4FC4594D77B85F4C210F1180C2B605B3114C634BD41CF90
                    Function 00404BAE Relevance: 2.1, APIs: 1, Instructions: 612networkCOMMON
                    Download Yara Rule
                    APIs
                    • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00404F4E
                    • recv.WS2_32(?,?,00040000,00000000), ref: 004050D0
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: recvselect
                    • String ID:
                    • API String ID: 741273618-0
                    • Opcode ID: a421e57506cbe14cc2ce190a7c79759d927c530002768d923d84ebbac425a713
                    • Instruction ID: 49a2f7da404b625249a32cd7692e85dcb67c372cfff0e12a18ccb6021e8313ef
                    • Opcode Fuzzy Hash: a421e57506cbe14cc2ce190a7c79759d927c530002768d923d84ebbac425a713
                    • Instruction Fuzzy Hash: 23D1A6B79C9A8CAFF220E6C56C69B72B79CE313A37F300B33E966D16D0D65854418590
                    Function 00403D63 Relevance: 1.9, APIs: 1, Instructions: 406networkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: gethostbyname
                    • String ID:
                    • API String ID: 930432418-0
                    • Opcode ID: 48ce7ec1df7c59ace0878a26501cd4f3d25244ed5dcfc266241acb0cb9df4f51
                    • Instruction ID: 427e4929b13a99d62705b7894d47f5b3cdc59fd0936fd6e5dd61fe008e6691d2
                    • Opcode Fuzzy Hash: 48ce7ec1df7c59ace0878a26501cd4f3d25244ed5dcfc266241acb0cb9df4f51
                    • Instruction Fuzzy Hash: 5091F9B7999A8CBFF220EAD56CA9B72B79CD31397BF200B37F966C1690D61854018160
                    Function 004045C5 Relevance: 1.8, APIs: 1, Instructions: 291networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 00404777
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Ioctl
                    • String ID:
                    • API String ID: 3041054344-0
                    • Opcode ID: 3c0bdefa0330a23e1166972c187c32c30933b685273871fa4e9b9be3cdf0bae3
                    • Instruction ID: e2932c03992df029e037be51ae7facf8480625bf4253c7ee6efa6d5978ea715b
                    • Opcode Fuzzy Hash: 3c0bdefa0330a23e1166972c187c32c30933b685273871fa4e9b9be3cdf0bae3
                    • Instruction Fuzzy Hash: F351D8B7989A8CBFF220EAC56C69F72B79CE317A37F200B33F966D16D0D65854018190
                    Function 004045CE Relevance: 1.8, APIs: 1, Instructions: 282networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,?,00000000,00000000), ref: 00404777
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Ioctl
                    • String ID:
                    • API String ID: 3041054344-0
                    • Opcode ID: 4d15bafa83d224e3b7d2a10e2fab81b21094e2ecd3aa14761efadf4994bd7db0
                    • Instruction ID: 9526a585e8d6de3bbfc57107f87e5eb456f107fa1e0619f39ed654d06b90629f
                    • Opcode Fuzzy Hash: 4d15bafa83d224e3b7d2a10e2fab81b21094e2ecd3aa14761efadf4994bd7db0
                    • Instruction Fuzzy Hash: 7551C7B7989A8CBFF220EAC56C69F72B79CE317A37F200B33F966D16D0D65854018190
                    Function 004F15BF Relevance: 1.7, APIs: 1, Instructions: 158memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNEL32(004F16B7,?,00000004,00000040,?,?,004F1595), ref: 004F1602
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: b3e2e26e12dc87767a2c570f88c579fbcfd8a53e7a448634394f5ea87b438120
                    • Instruction ID: 68ff67f9d07e77c6e6d61c8f1a88245ce5a92f72ba2f4a6eb926ff465044159e
                    • Opcode Fuzzy Hash: b3e2e26e12dc87767a2c570f88c579fbcfd8a53e7a448634394f5ea87b438120
                    • Instruction Fuzzy Hash: C141283250C208EBDB10FF11C9425BA77E6AF84704F58081BE7869B231D738A912DB8F
                    Function 00401577 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004015FC
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                      • Part of subcall function 0040194B: __EH_prolog3_catch.LIBCMT ref: 00401952
                      • Part of subcall function 0040194B: __CxxThrowException@8.LIBVCRUNTIME ref: 004019AB
                      • Part of subcall function 00401AB9: __EH_prolog3_catch.LIBCMT ref: 00401AC0
                      • Part of subcall function 00401AB9: __CxxThrowException@8.LIBVCRUNTIME ref: 00401B19
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw$H_prolog3_catch$DispatcherExceptionUser
                    • String ID:
                    • API String ID: 1529331208-0
                    • Opcode ID: 81b3664c51658b730b172021a82d2e60659d506f757bcbb0ba70a12c2d6abe31
                    • Instruction ID: 0aeeca30e4b6b72a5ef697a379779fba4e5f551919b5e7e175dc64f926755ad4
                    • Opcode Fuzzy Hash: 81b3664c51658b730b172021a82d2e60659d506f757bcbb0ba70a12c2d6abe31
                    • Instruction Fuzzy Hash: F621FBB7988A88AFE220E6C59C65F76B7ACE306A36F300B37F516D27D0D76854018190
                    Function 00401355 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004013A1
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8ThrowUser
                    • String ID:
                    • API String ID: 2513928553-0
                    • Opcode ID: ae8b8033c6243a9f075311f3abe85c467a7e4e60954b04cddbc19af5d2001eb4
                    • Instruction ID: 1f57a336439bd719dfdd525a7a61ee89b15920b2056cef97b8e63d903bfd20b4
                    • Opcode Fuzzy Hash: ae8b8033c6243a9f075311f3abe85c467a7e4e60954b04cddbc19af5d2001eb4
                    • Instruction Fuzzy Hash: BB1129B798AA4CAFE320DAC59C59BB2F7ACE317637F308B37E415D2690C72950028590
                    Function 00403B79 Relevance: 1.6, APIs: 1, Instructions: 84networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WS2_32(00000002,00000001,00000006), ref: 00403BC0
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: socket
                    • String ID:
                    • API String ID: 98920635-0
                    • Opcode ID: 16a13caeafb7fa22cc3ca8b3dc351e3565d63a82df92d44b7bded52b7ad5ebd5
                    • Instruction ID: 7db0104d75c140099f8443ccc315c25807cdd804811e74faee2cd90b5ee88d59
                    • Opcode Fuzzy Hash: 16a13caeafb7fa22cc3ca8b3dc351e3565d63a82df92d44b7bded52b7ad5ebd5
                    • Instruction Fuzzy Hash: B91108B79C9A88BFF130EAC56C69B72B79CE302A37F200B37F912D27D0D65554018150
                    Function 00401BD3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                    Download Yara Rule
                    APIs
                    • __floor_pentium4.LIBCMT ref: 00401C3C
                      • Part of subcall function 0040194B: __EH_prolog3_catch.LIBCMT ref: 00401952
                      • Part of subcall function 0040194B: __CxxThrowException@8.LIBVCRUNTIME ref: 004019AB
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8H_prolog3_catchThrow__floor_pentium4
                    • String ID:
                    • API String ID: 2457699348-0
                    • Opcode ID: 224c9e45b2d27edf53adf674c219c934f7631aab86358383652982ed0df9a724
                    • Instruction ID: 38359e74e22959d586143c1e7d248b865d989df890bb6bea26221316be0be554
                    • Opcode Fuzzy Hash: 224c9e45b2d27edf53adf674c219c934f7631aab86358383652982ed0df9a724
                    • Instruction Fuzzy Hash: 10214C71540B08AFE310EF65DC45BA9BBF8EB09765F10862BF446F7290DB3494808618
                    Function 0040281A Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040285E
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8ThrowUser
                    • String ID:
                    • API String ID: 2513928553-0
                    • Opcode ID: 2ea6a3bffdddacc6e6226561113e71871c3eee23053dee7462be0febc3fe56aa
                    • Instruction ID: 44b206e5b7eb95d1573f759f48dccc0809119720aaeac39973624ef8493f10cc
                    • Opcode Fuzzy Hash: 2ea6a3bffdddacc6e6226561113e71871c3eee23053dee7462be0febc3fe56aa
                    • Instruction Fuzzy Hash: AF110477988748AFE720EBD4D869B66BBA8E706B36F304A37E516D63C0D37844418690
                    Function 00401E7D Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                    • __floor_pentium4.LIBCMT ref: 00401EDD
                      • Part of subcall function 00401891: __EH_prolog3_catch.LIBCMT ref: 00401898
                      • Part of subcall function 00401891: __CxxThrowException@8.LIBVCRUNTIME ref: 004018F1
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8H_prolog3_catchThrow__floor_pentium4
                    • String ID:
                    • API String ID: 2457699348-0
                    • Opcode ID: bfab972bb9b0181d7663b6d2c90f6b33c4a1280d9968e217cdae45112fbdc5b7
                    • Instruction ID: a083d6634491f3e3ffd0fe8e7a64a01b5e9820adfea1e857aab7a14686004dc0
                    • Opcode Fuzzy Hash: bfab972bb9b0181d7663b6d2c90f6b33c4a1280d9968e217cdae45112fbdc5b7
                    • Instruction Fuzzy Hash: E0212C72900A089FD711EF65DC95B59BBB4FB09771F14863BF909FB291E73884808B98
                    Function 00403B82 Relevance: 1.6, APIs: 1, Instructions: 75networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WS2_32(00000002,00000001,00000006), ref: 00403BC0
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: socket
                    • String ID:
                    • API String ID: 98920635-0
                    • Opcode ID: f2a024eb85a8589b0dfd7f5124df27c2e617e7ec4347d23f3156247cc61842ca
                    • Instruction ID: 156df80eaa3a9cd1b6b290dd6e74887305d72ac7276ae3ad8e17c4dd1474cb22
                    • Opcode Fuzzy Hash: f2a024eb85a8589b0dfd7f5124df27c2e617e7ec4347d23f3156247cc61842ca
                    • Instruction Fuzzy Hash: 8A11D6B7988B88AFF220EAC56C69B327B9CE306A76F200B37F516D67D0D65844018150
                    Function 00401BDC Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                    • __floor_pentium4.LIBCMT ref: 00401C3C
                      • Part of subcall function 0040194B: __EH_prolog3_catch.LIBCMT ref: 00401952
                      • Part of subcall function 0040194B: __CxxThrowException@8.LIBVCRUNTIME ref: 004019AB
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8H_prolog3_catchThrow__floor_pentium4
                    • String ID:
                    • API String ID: 2457699348-0
                    • Opcode ID: d6c84756b6fbf601fb854442ebb8dc9809b7fe42b47e4487d8e3755c681d21b5
                    • Instruction ID: 6859fc5f457ba43b8b4e1f91fbe173df23dca8f024f8f5674980d8ffa8ed19cd
                    • Opcode Fuzzy Hash: d6c84756b6fbf601fb854442ebb8dc9809b7fe42b47e4487d8e3755c681d21b5
                    • Instruction Fuzzy Hash: 22213871500B08AFE311EF65DC51B69BBF8EB08B65F10852BF546F7290D73898808A18
                    Function 004060CA Relevance: 1.6, APIs: 1, Instructions: 51networkCOMMON
                    Download Yara Rule
                    APIs
                    • send.WS2_32(?,?,?,00000000), ref: 00406119
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: send
                    • String ID:
                    • API String ID: 2809346765-0
                    • Opcode ID: 9a607c971fbc1b9a05e80e4d710e7cdf936215a65a5d72d3e31cae9591534659
                    • Instruction ID: 391f9e5f477f5b69a7be163d07de6ff7d235d26d8a1a80c6c48969dbd6ec0880
                    • Opcode Fuzzy Hash: 9a607c971fbc1b9a05e80e4d710e7cdf936215a65a5d72d3e31cae9591534659
                    • Instruction Fuzzy Hash: 77F0F677984A48AFE720ABD99C59BB6BB68E306632F100B33F512E62A0C72584008754
                    Function 004060D3 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                    Download Yara Rule
                    APIs
                    • send.WS2_32(?,?,?,00000000), ref: 00406119
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: send
                    • String ID:
                    • API String ID: 2809346765-0
                    • Opcode ID: 2342ff3d89ade561285c3f9dfb7c381d1b663c0d5d62ce1f8a962841aa085b53
                    • Instruction ID: 82b08bf2852a893624ee8714b3a20becac123d8e96897c75e4b48596348d49ec
                    • Opcode Fuzzy Hash: 2342ff3d89ade561285c3f9dfb7c381d1b663c0d5d62ce1f8a962841aa085b53
                    • Instruction Fuzzy Hash: D3F02473984A48AFE710DBD89C15B6A7BA8F309731F204A33F612E62A0C32984108794
                    Function 0588AD7B Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32 ref: 0588AD90
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ExchangeInterlocked
                    • String ID:
                    • API String ID: 367298776-0
                    • Opcode ID: 05224ecbe9818dcf94952b7fae004db61953893bac615721e638167601b7145c
                    • Instruction ID: 34a0f9320645e879d556a0dad2f8803ec178f31dfa8b0b9aaa2a86e0ac620c1e
                    • Opcode Fuzzy Hash: 05224ecbe9818dcf94952b7fae004db61953893bac615721e638167601b7145c
                    • Instruction Fuzzy Hash: FAF089363083864FC711DE64E895A69FB54FF86221F4486EBEA448B182C6319C59D7E1
                    Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 26networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WS2_32(00000002,E826D012), ref: 00401020
                      • Part of subcall function 0041871B: __onexit.LIBCMT ref: 00418721
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Startup__onexit
                    • String ID:
                    • API String ID: 1034835647-0
                    • Opcode ID: b962cd1775d17826f4094ac5bba1205115c106db0ab0e2a3d2044d5428ae31b3
                    • Instruction ID: ad6f5502b40e12d28c2601b8d06bf468c4c147878f5bab7edd95b4fb12a4dd2d
                    • Opcode Fuzzy Hash: b962cd1775d17826f4094ac5bba1205115c106db0ab0e2a3d2044d5428ae31b3
                    • Instruction Fuzzy Hash: 19E0617160474047D314A73AAC53BB6B7D89F89305F40497FE99AC70D1DF3455068A4B
                    Function 004F1630 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNEL32(004F16B7,?,00000004,00000040,?,?,004F1595), ref: 004F1602
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 7dd796084cc0716593e56c66aca0a8b2eb5ccede691efad210a75bb77fff29c0
                    • Instruction ID: a9b7c8aeff95e80a3fd5a39cede63f3f7132a03c169b755d0948bd8735fc96b6
                    • Opcode Fuzzy Hash: 7dd796084cc0716593e56c66aca0a8b2eb5ccede691efad210a75bb77fff29c0
                    • Instruction Fuzzy Hash: 7CD05E70504209D79A20FB7099531AE33A65E8470CF54481EEA9893121DB28AA2A4AAB
                    Function 024028BF Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0244B39C,000000FF,00000007,00000000,00000004,00000000,?,?,?,0244B0AE,00000065,00000000,?,0244A643,FFFFFFE0,00000000), ref: 024028D9
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 0c8d8a839ae5cab81025d682d6d5e8e18988fa8771bb9019b0ad9e76903669f1
                    • Instruction ID: 566ce3e0263a86db5437ec948299dbae86295702f6de5559af0704fc3b273ddc
                    • Opcode Fuzzy Hash: 0c8d8a839ae5cab81025d682d6d5e8e18988fa8771bb9019b0ad9e76903669f1
                    • Instruction Fuzzy Hash: BCB09B729018C5D9DE15E760460C7177A0067D0701F76C162D1030659A4778C1D5F375
                    Function 02402845 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(023C1044,?,00000009,00000018,00000000,?,?), ref: 0240284F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: a71e7081c76ecea2634b383d37da205dec0b05006cc2aab41f4ac2f785934223
                    • Instruction ID: dcb199de52116b1cba56a78b0317bf21098c0fdefd7e90470ebb778446e5a7d2
                    • Opcode Fuzzy Hash: a71e7081c76ecea2634b383d37da205dec0b05006cc2aab41f4ac2f785934223
                    • Instruction Fuzzy Hash: 52900231201804D2D50072588404B4A410597E0301FB6C015A0514658DC95589617161
                    Function 02403945 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0243C931,?,00020019,?,00000000,?,?,76E91B54,76E85DD8,76E91AB0,00000000,?,0000020A,?,?,00000000), ref: 0240394F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: a85b341f0fc1f59f4692e111faf1b471c986634ed5bcee361d653d18a0b1ef7d
                    • Instruction ID: a7eb46da7fb45dbc78358d5416c891934bac48ddb4ee52765059e23198b027d7
                    • Opcode Fuzzy Hash: a85b341f0fc1f59f4692e111faf1b471c986634ed5bcee361d653d18a0b1ef7d
                    • Instruction Fuzzy Hash: 2590023120180492D90171589804647000587D4301FB6D511A052455CECA54896171A1
                    Function 02402D45 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0244397F,00000000,?,00000000,00000004,00004000,00000004,00000000,00000000,00000004,?,00000004,76FA5D80,00000000,00000000,?), ref: 02402D4F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: e3fb03b96d9fc1abf01bfd89bb3a5a2b5f13ad449933a34650d3808e96cd021a
                    • Instruction ID: 1d37e05ba6ef58002bdccb02757db2f2c5e30ecbb05cfe990c76d29b6f4bde6d
                    • Opcode Fuzzy Hash: e3fb03b96d9fc1abf01bfd89bb3a5a2b5f13ad449933a34650d3808e96cd021a
                    • Instruction Fuzzy Hash: 3590023124180892D5407158C4147070006C7D0601FB6C011A0124558DCA168A6576F1
                    Function 02402955 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(023E364E,000000FA,00000001,?,00000050,?,00000000), ref: 0240295F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 1aa760f0423e8c16879561bfc721d428e02946f17030f1d3d397e97d8c416353
                    • Instruction ID: 44aaf8fb4bacf8727daf9a5c8ac0f724ad8c527ba2b932c8cd2d9832c68326ff
                    • Opcode Fuzzy Hash: 1aa760f0423e8c16879561bfc721d428e02946f17030f1d3d397e97d8c416353
                    • Instruction Fuzzy Hash: 7B90023120180492D50075989408646000587E0301FB6D011A5124559ECA6589917171
                    Function 02402A65 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0241BF13,?,00000000,00000000,?,00000220,?,?,?,00000001,?,76E87EAC,?,?,00000002,?), ref: 02402A6F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 278828995a27b8956cc06e1055ee92603db052533a6763caa458df4a24c26c24
                    • Instruction ID: 65c57d2d79997967c621c0cfa28fb185a7a6604d0be66ab69f75c34d33d808f9
                    • Opcode Fuzzy Hash: 278828995a27b8956cc06e1055ee92603db052533a6763caa458df4a24c26c24
                    • Instruction Fuzzy Hash: 9C90023124180492D54171588404606000997D0241FF6C012A0524558ECA558B56BAA1
                    Function 02402C65 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(02400298,?,00000000,00000001,00000000,00000000,00000000,?,?,?,?,00000000), ref: 02402C6F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 9c108ca8da4b7945a0a9952683abbeebe51abec1548ac5c3ebd004b90cba5b90
                    • Instruction ID: f1fbd36493b9b43dd1b27881c55b4b890ae4995d64617fcdfce7fc223b740b08
                    • Opcode Fuzzy Hash: 9c108ca8da4b7945a0a9952683abbeebe51abec1548ac5c3ebd004b90cba5b90
                    • Instruction Fuzzy Hash: CA900231601800D245407168C8449064005ABE12117B6C121A0A98554DC959896566A5
                    Function 02402A75 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(023F3C1A,?,?,?,00000021,00100020,?), ref: 02402A7F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: e1831f3b80571ff245ffa1ac3cea228793df76da1466f4aa8b8e933eac318279
                    • Instruction ID: d94a385240ea5cc5cb523d8d4d9802149a19af9c33e221ce7300a4ada19dde67
                    • Opcode Fuzzy Hash: e1831f3b80571ff245ffa1ac3cea228793df76da1466f4aa8b8e933eac318279
                    • Instruction Fuzzy Hash: B390023160580492D54171588454706001987D0241FF6C012A0124558DCA558B56B6E1
                    Function 02402815 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0244B210,00000004,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 0240281F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: dd1357673929edd627d5002cf9b22b1c21bc2a403287383c9e2e20cba39850d4
                    • Instruction ID: a7c3278bab233e358864312cb0a9fac2fa44294094936769d81f40b09dbb6f4b
                    • Opcode Fuzzy Hash: dd1357673929edd627d5002cf9b22b1c21bc2a403287383c9e2e20cba39850d4
                    • Instruction Fuzzy Hash: AA90027120280093450571588414616400A87E0201BB6C021E1114594DC92589917165
                    Function 02402B15 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(023F2FD7,?,?,?,?), ref: 02402B1F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 11d94716a0a9a50aea8195846aaae944c1793c340b99bc1e967f78cb2f04d93e
                    • Instruction ID: 9dc4532990c3311a998ece6e45485afd5e8534d6e25cb276fd3244faad9b1279
                    • Opcode Fuzzy Hash: 11d94716a0a9a50aea8195846aaae944c1793c340b99bc1e967f78cb2f04d93e
                    • Instruction Fuzzy Hash: 7890027120180092D54171589404706400997E0241FF6C013A0614558CC9158A56A261
                    Function 02402915 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(02433C2F,?,00000009,00000018,00000000,00000000,00000000,00000000), ref: 0240291F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: e9c74aefc6d850f881e4025fd3ffb9272c4f9300d69bd7779120de17ec40eed9
                    • Instruction ID: d93bdadf144966689d6c613757223a2a96fe6a0621c1ea02d9638c1ec833a575
                    • Opcode Fuzzy Hash: e9c74aefc6d850f881e4025fd3ffb9272c4f9300d69bd7779120de17ec40eed9
                    • Instruction Fuzzy Hash: E1900231201808D2D50071588404B46000587E0301FB6C016A0224658DCA15C9517561
                    Function 02402925 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0244B240,000000FF,0000001C,0000000C,00008000,00000000,00000000,?,0244B084,000000FF,00000000,00000000,0000000C,00001000,00000004,76F8D260), ref: 0240292F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: fe7a695d54c47184f6869f139371b110fb42ca037c2ef3b0bac4e3626bfa7998
                    • Instruction ID: 5e4434a41b56dcab8794d83cf17c84d42851e9d31ee7a6c4386824e225b1f118
                    • Opcode Fuzzy Hash: fe7a695d54c47184f6869f139371b110fb42ca037c2ef3b0bac4e3626bfa7998
                    • Instruction Fuzzy Hash: 8C90023120188892D5107158C40474A000587D0301FBAC411A452465CDCA9589917161
                    Function 024029C5 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0244B1BD,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000004,00000004,000F0007,C0000001,?,00000004), ref: 024029CF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 32a9f807de822e85ff040538f7fbc2df4ab8354551751fba201e08b8ecb80970
                    • Instruction ID: eb73a56ec62a6490eeec47b7d36abee0e6eedca61927941d4eca6f1ef06fa251
                    • Opcode Fuzzy Hash: 32a9f807de822e85ff040538f7fbc2df4ab8354551751fba201e08b8ecb80970
                    • Instruction Fuzzy Hash: 0590023921380092D5807158940860A000587D1202FF6D415A011555CCCD1589696361
                    Function 02402BE5 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0244B19B,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 02402BEF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 4779a73a3e63ccb235c346d7bbb9e1cc29c307b5cf0947d03509edc91a6023ee
                    • Instruction ID: 03b4f8b3da908c51694e4ca40a92fff84c967a19f802b24f1fc847529ea20f25
                    • Opcode Fuzzy Hash: 4779a73a3e63ccb235c346d7bbb9e1cc29c307b5cf0947d03509edc91a6023ee
                    • Instruction Fuzzy Hash: DF900271341804D2D50071588414B060005C7E1301FB6C015E1164558DCA19CD527166
                    Function 024029E5 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0244B1FF,000000FF,00000000,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 024029EF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 03eec2dd048b8e4f33d0e121f1ee76f423578e65da4fa5125804e2d58986a6b7
                    • Instruction ID: 3045aac6dd4cd7cc4da64803de65df99600675759a62d445acbb8ebda6492752
                    • Opcode Fuzzy Hash: 03eec2dd048b8e4f33d0e121f1ee76f423578e65da4fa5125804e2d58986a6b7
                    • Instruction Fuzzy Hash: DD90023130180093D540715894186064005D7E1301FB6D011E0514558CDD1589566262
                    Function 024027F5 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0241F92D,000000FE,00000005,?,00000004,000000FE,00000000,00000001), ref: 024027FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 89dbe6fee2a7d5bde55e6a9cebc87a549e6907b4d2d9fa4ed4478543ed452b88
                    • Instruction ID: fd162d09187195704d1a5487c24e7ee05acbcbafa838542260557f549b872b82
                    • Opcode Fuzzy Hash: 89dbe6fee2a7d5bde55e6a9cebc87a549e6907b4d2d9fa4ed4478543ed452b88
                    • Instruction Fuzzy Hash: 9490023120180492D50071988404706000587D0201FB6C412E062455CDCA5589517571
                    Function 02402A85 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(02418E58,00000000,76FA4F4C), ref: 02402A8F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 3311cdc1437dc7d57fc21bf6541892f70bad979a9ac821505f141b48a28c8ae1
                    • Instruction ID: ba355d8e859d6816615315c8d49fa765a9c66f78f412bfb7516d1d93b4bf5fbd
                    • Opcode Fuzzy Hash: 3311cdc1437dc7d57fc21bf6541892f70bad979a9ac821505f141b48a28c8ae1
                    • Instruction Fuzzy Hash: 10900231242841E25945B1588404507400697E02417F6C012A1514954CC9269956E661
                    Function 02402795 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0249A13E,00000000,00000000,00000000,00000000,?,0022096C,00000000,00000000,00000004,00000010,?,00000000), ref: 0240279F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 6c81ed84ab1970866dfb33400d242b6450455a1d59324ce333c241328bb42825
                    • Instruction ID: d4655b01347a1290ce35513ebc35721995a3efd51dd371ff95b07b64c68107f8
                    • Opcode Fuzzy Hash: 6c81ed84ab1970866dfb33400d242b6450455a1d59324ce333c241328bb42825
                    • Instruction Fuzzy Hash: 50900235612844D20541B1588504947000587D82493B6C011F0155598CDB259965A261
                    Function 02402895 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(02419997,?,?,00000002,00000000,?,?,?,76E25D78,?,?,?,?,?,80000005), ref: 0240289F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: e69b0853e0ba7a260a24ea3c5eaf87fd1f83b4988f561c55acdc85df74fd7234
                    • Instruction ID: bafe1a318a29b9fef6596f84c02798d614c7910f3764ff90cfc555ff2a01a69e
                    • Opcode Fuzzy Hash: e69b0853e0ba7a260a24ea3c5eaf87fd1f83b4988f561c55acdc85df74fd7234
                    • Instruction Fuzzy Hash: 6E900231205848D2D54071588404A46001587D0305FB6C011A0164698DDA258E55B6A1
                    Function 02402C95 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(02499FB9,?,00100080,00000018,?,00000000,00000000,00000007,00000001,00000020,00000000,00000000,76EA5A68,00000000,?,?), ref: 02402C9F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 8ac549f2867562ec1500e0e04f390b73ac4eeec54055744d4b505ee26b047c0a
                    • Instruction ID: 52ea3a1bfe49ca4497603a7c7aeba830978ab11dc6f7cd3ffbc77b97a477a51e
                    • Opcode Fuzzy Hash: 8ac549f2867562ec1500e0e04f390b73ac4eeec54055744d4b505ee26b047c0a
                    • Instruction Fuzzy Hash: 93900231211C00D2D60075688C14B07000587D0303FB6C115A0254558CCD1589616561
                    Function 024034A5 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(02450BC8,?,?,?,?), ref: 024034AF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: b229049292478d3ae635913977713cc3679d8945ac67d47234f80e5a5c8df1e4
                    • Instruction ID: b1544ed245800e6e1e5c382c5c2fefaeea95f39a98dd5ee044b975a72eed7e04
                    • Opcode Fuzzy Hash: b229049292478d3ae635913977713cc3679d8945ac67d47234f80e5a5c8df1e4
                    • Instruction Fuzzy Hash: 5B90023120180493D540719885046078005A7F0201FB6C012A0515558CD95689556271
                    Function 02402AA5 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0244AD10,00000073,?,00000008,00000000,000000FF,00000004), ref: 02402AAF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: b07e20b1e1f62226c95c3b95021e95314ccf6a60d1538666fc4c27f6eedf0abb
                    • Instruction ID: e0cfee59f3bd629d696d9df025a24d049228ab1f5450e19fda68cd4384c52875
                    • Opcode Fuzzy Hash: b07e20b1e1f62226c95c3b95021e95314ccf6a60d1538666fc4c27f6eedf0abb
                    • Instruction Fuzzy Hash: 41900231201804A3D51171588504707000987D0241FF6C412A052455CDDA568A52B161
                    Function 024028A5 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(0244B012,000000FF,00000000,00000000,0000000C,00001000,00000004,76F8D260,0000001C,0244AD6B), ref: 024028AF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 99d95164daa121e4aa1da014ad54696e11d4a89c828f981c5379f8b395cffda3
                    • Instruction ID: f493f41ee4575846753655f81b4abaab26142dd9efb5aad95f225d96354de1fb
                    • Opcode Fuzzy Hash: 99d95164daa121e4aa1da014ad54696e11d4a89c828f981c5379f8b395cffda3
                    • Instruction Fuzzy Hash: 7290023120180892D5807158840464A000587D1301FF6C015A0125658DCE158B5977E1
                    Function 024029B5 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LdrInitializeThunk.NTDLL(023F6F44,?,?,?,00000008,0000001E), ref: 024029BF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458408865.0000000002390000.00000040.00000020.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_2390000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: 42339184a28783423944fc9ac82ea6ac916fb52e1ea481eb8e768c14776ee7f9
                    • Instruction ID: 67d7d67ac5255d78cda0559fcb6871c985b3fca63008080f8ea36a83b41ef028
                    • Opcode Fuzzy Hash: 42339184a28783423944fc9ac82ea6ac916fb52e1ea481eb8e768c14776ee7f9
                    • Instruction Fuzzy Hash: 5D900231205844D2D50075589408A06000587D0205FB6D011A1164599DCA358951B171
                    Function 0226F9DF Relevance: .3, Instructions: 277COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e7efa3e78e8e3d2378db4a0b53af39530989666be69a648821daeaf1719bf47a
                    • Instruction ID: 317d1d60e3700707c6a44b6a7b76a62342425d9a54777d5ecfe259181db8e187
                    • Opcode Fuzzy Hash: e7efa3e78e8e3d2378db4a0b53af39530989666be69a648821daeaf1719bf47a
                    • Instruction Fuzzy Hash: 5EC1E072D20219ABDF00DFD4EA88BEDBBB6FB08319F244515E412B7684C774A995CF14
                    Function 0226D06B Relevance: .2, Instructions: 162COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4080447c99b4bfb018b9855abd1eb7e7efdbdcb1cb35f0d01b2dc8d657015916
                    • Instruction ID: 8e93edcd5d12c689ba28627672607868ce49681f4fdde1018e30d29e9f974557
                    • Opcode Fuzzy Hash: 4080447c99b4bfb018b9855abd1eb7e7efdbdcb1cb35f0d01b2dc8d657015916
                    • Instruction Fuzzy Hash: 1B513776A102299FDB11CF98D888BAEBBF4FF49714F1442A5E911AB394D3709C41CBA0
                    Function 0226C87F Relevance: .1, Instructions: 134COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4394787213c935cc2ee6b5851fc38c1c6f876b7f7ed576cfd4406f54cbd4534f
                    • Instruction ID: ab2b647fcd5eb4ab6b339e18cb52ec68314a7f5e65014481b1468e4ec2fd2032
                    • Opcode Fuzzy Hash: 4394787213c935cc2ee6b5851fc38c1c6f876b7f7ed576cfd4406f54cbd4534f
                    • Instruction Fuzzy Hash: 0B416CB1E11219AFDB10DFD5C948BEFBBB9EF48354F10405AEA15E7284D770AA40CBA4
                    Function 0226FD21 Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dc0be92c03cdaef17c838e2f9bbabb6427108cd72bff778f61f7997dbb892111
                    • Instruction ID: dfd8188118abf245d2532e7d93af6c000d81e1cae59ac76f28005a7920c7b44a
                    • Opcode Fuzzy Hash: dc0be92c03cdaef17c838e2f9bbabb6427108cd72bff778f61f7997dbb892111
                    • Instruction Fuzzy Hash: 0211D372C24249DBEF618FE4EA4C7ECBBB5AB0031AF204129F122A5598C7B465D8DF11
                    Function 0226C7EF Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3708fbe2b88b8c939ed4b2c8f61042722b7326e504c06cfe0ef6137487a98a98
                    • Instruction ID: 4bc609204e8fef87c917ccb2dfbd0c94909ea613b73f15684c55a09b3464f909
                    • Opcode Fuzzy Hash: 3708fbe2b88b8c939ed4b2c8f61042722b7326e504c06cfe0ef6137487a98a98
                    • Instruction Fuzzy Hash: D7D06CB744024DBBCF029E85EC05EDA3F2AEB59370F158601BE38451A1C776D9B1ABA1
                    Function 022A551F Relevance: .0, Instructions: 13COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b634d79532ed85754f9aa903670903a8a00b20c82c2e9a5ae80919a805a00cc9
                    • Instruction ID: cbe3ac6ecafe2399b55931cb87b1af9d6c2ba799a96b4efa2543abb8a940f594
                    • Opcode Fuzzy Hash: b634d79532ed85754f9aa903670903a8a00b20c82c2e9a5ae80919a805a00cc9
                    • Instruction Fuzzy Hash: 4FC01272110208BB8B00EEA48C04CBB779EEBC8210B008404B9188B100C930E860DAA0

                    Non-executed Functions

                    Function 0588E740 Relevance: 72.1, APIs: 36, Strings: 5, Instructions: 311stringfilesynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0588E799
                    • Sleep.KERNEL32(00000001,?,?,?,0588601C), ref: 0588E7A3
                    • GetTickCount.KERNEL32 ref: 0588E7AF
                    • GetTickCount.KERNEL32 ref: 0588E7C2
                    • InterlockedExchange.KERNEL32(058B1F48,00000000), ref: 0588E7CA
                    • OpenClipboard.USER32(00000000), ref: 0588E7D2
                    • GetClipboardData.USER32(0000000D), ref: 0588E7DA
                    • GlobalSize.KERNEL32(00000000), ref: 0588E7EB
                    • GlobalLock.KERNEL32(00000000), ref: 0588E7FC
                    • wsprintfW.USER32 ref: 0588E875
                    • _memset.LIBCMT ref: 0588E893
                    • GlobalUnlock.KERNEL32(00000000), ref: 0588E89C
                    • CloseClipboard.USER32 ref: 0588E8A2
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0588E8BA
                    • CreateFileW.KERNEL32(058B0DC0,40000000,00000002,00000000,00000004,00000002,00000000), ref: 0588E8D4
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0588E8F2
                    • lstrlenW.KERNEL32(058A5A38,?,00000000), ref: 0588E906
                    • WriteFile.KERNEL32(00000000,058A5A38,00000000), ref: 0588E915
                    • CloseHandle.KERNEL32(00000000), ref: 0588E91C
                    • ReleaseMutex.KERNEL32(?), ref: 0588E928
                    • GetKeyState.USER32(00000014), ref: 0588E9AC
                    • lstrlenW.KERNEL32(058AB4A8), ref: 0588E9FB
                    • wsprintfW.USER32 ref: 0588EA0D
                    • lstrlenW.KERNEL32(058AB4D0), ref: 0588EA2E
                    • lstrlenW.KERNEL32(058AB4D0), ref: 0588EA51
                    • wsprintfW.USER32 ref: 0588EA6F
                    • wsprintfW.USER32 ref: 0588EA85
                    • wsprintfW.USER32 ref: 0588EAAF
                    • lstrlenW.KERNEL32(00000000), ref: 0588EAFB
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0588EB11
                    • CreateFileW.KERNEL32(058B0DC0,40000000,00000002,00000000,00000004,00000002,00000000), ref: 0588EB2B
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0588EB49
                    • lstrlenW.KERNEL32(00000000,?,00000000), ref: 0588EB59
                    • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0588EB64
                    • CloseHandle.KERNEL32(00000000), ref: 0588EB6B
                    • ReleaseMutex.KERNEL32(?), ref: 0588EB78
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Filelstrlen$wsprintf$ClipboardCloseGlobal$CountCreateHandleMutexObjectPointerReleaseSingleTickWaitWrite_memset$DataExchangeInterlockedLockOpenSizeSleepStateUnlock
                    • String ID: [$%s%s$%s%s$%s%s$[esc]
                    • API String ID: 1637302245-2373594894
                    • Opcode ID: e226080793eea109c4a6cd7efa600fd54333005731b0f642841ef8fb17158c30
                    • Instruction ID: 9d639dc0d7e7e2e23a732b8704ecf4323fa9b9dfb3efb56b1894dd8fd6ec93f7
                    • Opcode Fuzzy Hash: e226080793eea109c4a6cd7efa600fd54333005731b0f642841ef8fb17158c30
                    • Instruction Fuzzy Hash: 5CC1A474650301AFFB34EF64DC4ABAA7BE8FB04705F004559FE5AD6280DBB4A984CB61
                    Function 058877D0 Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 240libraryloaderinjectionCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 058877F4
                    • _memset.LIBCMT ref: 05887840
                    • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 05887854
                      • Part of subcall function 05888710: _vswprintf_s.LIBCMT ref: 05888721
                    • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,75920630,?,75920F00), ref: 05887883
                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000214,00000000,00000000,00000044,?), ref: 058878CA
                      • Part of subcall function 05887730: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,058878EC), ref: 05887746
                      • Part of subcall function 05887730: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,058878EC,?,?,?,?,?,?,75920630), ref: 0588774D
                    • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 058878FA
                    • _memset.LIBCMT ref: 05887913
                    • LoadLibraryA.KERNEL32(Kernel32.dll,OpenProcess,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 0588792B
                    • GetProcAddress.KERNEL32(00000000), ref: 05887934
                    • LoadLibraryA.KERNEL32(Kernel32.dll,ExitProcess,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 05887946
                    • GetProcAddress.KERNEL32(00000000), ref: 05887949
                    • LoadLibraryA.KERNEL32(Kernel32.dll,WinExec,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 0588795B
                    • GetProcAddress.KERNEL32(00000000), ref: 0588795E
                    • LoadLibraryA.KERNEL32(Kernel32.dll,WaitForSingleObject,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 05887970
                    • GetProcAddress.KERNEL32(00000000), ref: 05887973
                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 0588797B
                    • GetProcessId.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 05887982
                    • _memset.LIBCMT ref: 058879A4
                    • GetModuleFileNameA.KERNEL32(00000000,?,000000FA,?,?,?,?,?,?,?,?,?,?,?,?,75920630), ref: 058879BA
                    • VirtualAllocEx.KERNEL32(00000000,00000000,00000118,00003000,00000040), ref: 058879EF
                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000118,00000000), ref: 05887A0B
                    • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000001,?), ref: 05887A33
                    • VirtualAllocEx.KERNEL32(00000000,00000000,00001000,00003000,00000040), ref: 05887A48
                    • WriteProcessMemory.KERNEL32(00000000,00000000,058876E0,00001000,00000000), ref: 05887A62
                    • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000001,00000000), ref: 05887A80
                    • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 05887A91
                    • Sleep.KERNEL32(0000EA60,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75920630), ref: 05887AAA
                    • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000040,00000000), ref: 05887AC6
                    • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000040,00000000), ref: 05887AD8
                    • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75920630), ref: 05887AE1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Process$Virtual$AddressLibraryLoadProcProtect_memset$AllocCreateCurrentFileMemoryOpenThreadWrite$AttributesDirectoryModuleNameRemoteResumeSleepSystemToken_vswprintf_s
                    • String ID: %s%s$D$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                    • API String ID: 4176418925-3213446972
                    • Opcode ID: 3327b81da3d8cb293d0751bf7f83dc7002996efeb08bb1cdf23d13fc79be9061
                    • Instruction ID: 590a961a72969ad986a5a687f7ca3245a03e52964c950215b4e24930a23be553
                    • Opcode Fuzzy Hash: 3327b81da3d8cb293d0751bf7f83dc7002996efeb08bb1cdf23d13fc79be9061
                    • Instruction Fuzzy Hash: 6381BD756403187BEB31AB659C4AFEB77BCEF45700F000498FA09E6180DAB46F85CB55
                    Function 05887E40 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 131threadinjectionprocessCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 05887E63
                    • _memset.LIBCMT ref: 05887E8F
                    • _memset.LIBCMT ref: 05887EC4
                    • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 05887ED8
                      • Part of subcall function 05888710: _vswprintf_s.LIBCMT ref: 05888721
                    • GetFileAttributesA.KERNEL32(?), ref: 05887F05
                    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 05887F55
                    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 05887F82
                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00003000,00000040), ref: 05887F9A
                    • GetThreadContext.KERNEL32(?,?,?,00000000,?,00003000,00000040), ref: 05887FBC
                    • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,00003000,00000040), ref: 05887FDA
                    • ResumeThread.KERNEL32(?,?,00000000,?,00003000,00000040), ref: 05887FEF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                    • String ID: %s%s$D$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                    • API String ID: 2170139861-2473635271
                    • Opcode ID: 4f59c0d00c834567ea0796dbe10120dbf9aecbb9a4ff56604c429031bed9745d
                    • Instruction ID: 77a5b662fe6dc935e2c9cb920b1bc987c4627ff7ab9c03859f4add9d305d47bc
                    • Opcode Fuzzy Hash: 4f59c0d00c834567ea0796dbe10120dbf9aecbb9a4ff56604c429031bed9745d
                    • Instruction Fuzzy Hash: D341A675A50258ABDB20DB65DC45FED77BDEB44700F0041D8BA0EE6180EAB06F85CF54
                    Function 0588E3E0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143synchronizationfilekeyboardCOMMON
                    Download Yara Rule
                    APIs
                    • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,058B0DC0,7591E010,75922FA0,75920F00,?,05885FF7,?,?), ref: 0588E409
                    • lstrcatW.KERNEL32(058B0DC0,\DisplaySessionContainers.log,?,05885FF7,?,?), ref: 0588E419
                    • CreateMutexW.KERNEL32(00000000,00000000,058B0DC0,?,05885FF7,?,?), ref: 0588E428
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,05885FF7,?,?), ref: 0588E436
                    • CreateFileW.KERNEL32(058B0DC0,40000000,00000002,00000000,00000004,00000080,00000000,?,05885FF7,?,?), ref: 0588E453
                    • GetFileSize.KERNEL32(00000000,00000000,?,05885FF7,?,?), ref: 0588E45E
                    • CloseHandle.KERNEL32(00000000,?,05885FF7,?,?), ref: 0588E467
                    • DeleteFileW.KERNEL32(058B0DC0,?,05885FF7,?,?), ref: 0588E47A
                    • ReleaseMutex.KERNEL32(?,?,05885FF7,?,?), ref: 0588E487
                    • DirectInput8Create.DINPUT8(?,00000800,058A4934,058B1260,00000000,?,05885FF7,?,?), ref: 0588E4A2
                    • GetTickCount.KERNEL32 ref: 0588E555
                    • GetKeyState.USER32(00000014), ref: 0588E562
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
                    • String ID: <$\DisplaySessionContainers.log
                    • API String ID: 1095970075-1170057892
                    • Opcode ID: a9d7bf89abd42f7814046bf57c7eaa1db5746d1bfa8950203df6a9551e04af3a
                    • Instruction ID: 3a934da7ce88253f462d66ce122a3215a0539919de58472398b137348be9d380
                    • Opcode Fuzzy Hash: a9d7bf89abd42f7814046bf57c7eaa1db5746d1bfa8950203df6a9551e04af3a
                    • Instruction Fuzzy Hash: DE416E75750305ABEB20EFA8DC5AFAA3BA8EB49714F104144FE06DB3C0CAB4B801CB54
                    Function 05887610 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 69libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?,0588DF04), ref: 05887627
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,0588DF04), ref: 0588762E
                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0588764A
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 05887667
                    • CloseHandle.KERNEL32(?), ref: 05887671
                    • GetModuleHandleA.KERNEL32(NtDll.dll,NtSetInformationProcess,?,?,?,?,?,?,?,0588DF04), ref: 05887681
                    • GetProcAddress.KERNEL32(00000000), ref: 05887688
                    • GetCurrentProcessId.KERNEL32 ref: 058876AA
                    • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 058876B7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Process$CurrentHandleOpenToken$AddressAdjustCloseLookupModulePrivilegePrivilegesProcValue
                    • String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
                    • API String ID: 1802016953-1577477132
                    • Opcode ID: 70c845843beab6b22642547afbeecd0784665e12b831ecce7cfbf6481194c3db
                    • Instruction ID: 6dcf782f9161a2ea9bbfae1c23dd6d1a9036d70c3ecff9d769b41277791d2602
                    • Opcode Fuzzy Hash: 70c845843beab6b22642547afbeecd0784665e12b831ecce7cfbf6481194c3db
                    • Instruction Fuzzy Hash: BB214875A50309ABEB20EBE4DC0AFBE7B78EB48711F504149FE07D6180DEB46944CBA1
                    Function 058880E0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON
                    Download Yara Rule
                    APIs
                    • GetLogicalDriveStringsW.KERNEL32(000003E8,?,75A773E0,00000AD4,00000000), ref: 05888122
                    • lstrcmpiW.KERNEL32(?,A:\), ref: 05888156
                    • lstrcmpiW.KERNEL32(?,B:\), ref: 05888166
                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 05888196
                    • lstrlenW.KERNEL32(?), ref: 058881A7
                    • __wcsnicmp.LIBCMT ref: 058881BE
                    • lstrcpyW.KERNEL32(00000AD4,?), ref: 058881F4
                    • lstrcpyW.KERNEL32(?,?), ref: 05888218
                    • lstrcatW.KERNEL32(?,00000000), ref: 05888223
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                    • String ID: A:\$B:\
                    • API String ID: 950920757-1009255891
                    • Opcode ID: 7a4fa1034172750778ee404bc4c150e77b947a7d6c53f6cfbe03da10422aaca6
                    • Instruction ID: c66b569ec6dbb0031219f2cc32e4ffa7042e7c639d4c1e6f03251e0ff83c390a
                    • Opcode Fuzzy Hash: 7a4fa1034172750778ee404bc4c150e77b947a7d6c53f6cfbe03da10422aaca6
                    • Instruction Fuzzy Hash: 1A41B475A012189BEB20EF64DD44ABEB7B8FF44210F404599EE0BE3140EB70AE05CF94
                    Function 0589043B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92memorylibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 05890464
                    • GetSystemInfo.KERNEL32(?), ref: 0589047C
                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0589048C
                    • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0589049C
                    • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 058904EE
                    • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 05890503
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
                    • String ID: SetThreadStackGuarantee$kernel32.dll
                    • API String ID: 3290314748-423161677
                    • Opcode ID: 0d005b0575acbceda72fcfe0b79931b0fdc854ca837cdb876479906aa4e26ae8
                    • Instruction ID: 5ca3e17c456a5bf2749c6497d5b4efa03b34e2d03ffc1896a2bbce1e6089681f
                    • Opcode Fuzzy Hash: 0d005b0575acbceda72fcfe0b79931b0fdc854ca837cdb876479906aa4e26ae8
                    • Instruction Fuzzy Hash: 14318276A44219EBDF24DBA49C89AEEBBB8FB44745B180115ED02E7140EB74AE04CA90
                    Function 05887B60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 05887B79
                    • OpenProcessToken.ADVAPI32(00000000), ref: 05887B80
                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 05887BA6
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 05887BBC
                    • GetLastError.KERNEL32 ref: 05887BC2
                    • CloseHandle.KERNEL32(?), ref: 05887BD0
                    • CloseHandle.KERNEL32(?), ref: 05887BEB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                    • String ID: SeShutdownPrivilege
                    • API String ID: 3435690185-3733053543
                    • Opcode ID: e7c2b8b593835cb9069c237daed0f05414ee3045a307c8a66df8705a701b8ba4
                    • Instruction ID: ff0ad397f0356211a9eff439cc7e47f941cd6c5c184fe079f50bcc764e673c43
                    • Opcode Fuzzy Hash: e7c2b8b593835cb9069c237daed0f05414ee3045a307c8a66df8705a701b8ba4
                    • Instruction Fuzzy Hash: E9114275A50218ABEB20EBA4D84AFAE7B78EB04700F504559FD07EB180DE75AA01C7A1
                    Function 0588B39D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    • OpenEventLogW.ADVAPI32(00000000,058A57AC), ref: 0588B3C7
                    • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 0588B3D2
                    • CloseEventLog.ADVAPI32(00000000), ref: 0588B3D9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Event$ClearCloseOpen
                    • String ID: Application$Security$System
                    • API String ID: 1391105993-2169399579
                    • Opcode ID: 88927f3b1d59d82d9923b07c58056d865af457e4c6f3cd7daaf655cf79e8d21b
                    • Instruction ID: b1ddca6c29e4f183b3469fd9181ce5e0aea28dc7f12601fb9413ff766abf89b0
                    • Opcode Fuzzy Hash: 88927f3b1d59d82d9923b07c58056d865af457e4c6f3cd7daaf655cf79e8d21b
                    • Instruction Fuzzy Hash: B3E0E53B1043109BE222DF54A8C871AB7E0FBC8716F240619FF46A6100CA319D49CB85
                    Function 00430EEB Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: __floor_pentium4
                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                    • API String ID: 4168288129-2761157908
                    • Opcode ID: ca0ea58483a9c45e7b28ff0240a4aafa045329082d7a331f95c5b9ff32c0d6ed
                    • Instruction ID: 1ba2279ed8be820772e8d7c3489f61584f4f79732c44bba2f49185e388e9246e
                    • Opcode Fuzzy Hash: ca0ea58483a9c45e7b28ff0240a4aafa045329082d7a331f95c5b9ff32c0d6ed
                    • Instruction Fuzzy Hash: 1DC25971E086288FDB25CE28DD407EAB3B5EB48305F1451EBD84EE7250E778AE818F45
                    Function 05887730 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,058878EC), ref: 05887746
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,058878EC,?,?,?,?,?,?,75920630), ref: 0588774D
                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 05887775
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 058877A9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                    • String ID: SeDebugPrivilege
                    • API String ID: 2349140579-2896544425
                    • Opcode ID: 2e2b382a0204f1284f17e739250c1dd31930334b9886f1b6edb805d5eec7c5fe
                    • Instruction ID: d0620e1ace8561521ddaa0d5c627801d01759dff9a5667418af29bb6ce2cf520
                    • Opcode Fuzzy Hash: 2e2b382a0204f1284f17e739250c1dd31930334b9886f1b6edb805d5eec7c5fe
                    • Instruction Fuzzy Hash: D4115275B50208ABEB10DFE5D84ABBEB7B4EB08700F108158F906EB280EA75A905CB51
                    Function 0588EEFA Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 0589120C
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 05891221
                    • UnhandledExceptionFilter.KERNEL32(058A25B8), ref: 0589122C
                    • GetCurrentProcess.KERNEL32(C0000409), ref: 05891248
                    • TerminateProcess.KERNEL32(00000000), ref: 0589124F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                    • String ID:
                    • API String ID: 2579439406-0
                    • Opcode ID: b358ad21a87bda349357de3d7c6c1550868a714e64d8a5bd3f227e0139a2cb6f
                    • Instruction ID: de6b8e5313f030da07c2e546cb3e8dc4184c4a85285068e0a5cdd58868bc5b0e
                    • Opcode Fuzzy Hash: b358ad21a87bda349357de3d7c6c1550868a714e64d8a5bd3f227e0139a2cb6f
                    • Instruction Fuzzy Hash: 8121CFB89703559BF756EF29F44AA647FA4BB08300F20501AFE1A92240EFB47A80CF55
                    Function 00423B40 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: X C$X C
                    • API String ID: 0-2718379240
                    • Opcode ID: 0d02399648c13518c4cb0f7601dd32b78b80c50ea76878bed7eb001313bb0661
                    • Instruction ID: 2e5d7492436ed7a20c8ef4e21d884bb0b5665ddccbacf502d6eb511b76857e1d
                    • Opcode Fuzzy Hash: 0d02399648c13518c4cb0f7601dd32b78b80c50ea76878bed7eb001313bb0661
                    • Instruction Fuzzy Hash: 38024E71E002299BDF14CFA9E9806AEFBF1EF48315F65416AE815E7340D739AE41CB84
                    Function 004127CC Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 339COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 004127D3
                    • ___from_strstr_to_strchr.LIBCMT ref: 004128B4
                      • Part of subcall function 004130DB: __EH_prolog3.LIBCMT ref: 004130E2
                    Strings
                    • abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_, xrefs: 004128AF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3$___from_strstr_to_strchr
                    • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
                    • API String ID: 3394665768-3812731148
                    • Opcode ID: 854dc4d12c4070c0b631fce2034d0d03ba0de500c85bcdd2ce3b69648cb1c1a2
                    • Instruction ID: 4114168b71c07299ec2e7dfe45a941bbc6e8cb5fcabe13bdef151fcce3f4fd3a
                    • Opcode Fuzzy Hash: 854dc4d12c4070c0b631fce2034d0d03ba0de500c85bcdd2ce3b69648cb1c1a2
                    • Instruction Fuzzy Hash: 10D1AD70604646AFDB15CF28C681BEABBE1BF48304F14411AE856CB351C7B8F9B1DB69
                    Function 0040DAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3_
                    • String ID: vmware
                    • API String ID: 2427045233-2453097234
                    • Opcode ID: 262a3f9a3629654a666d745d061db0472794faffc9b407833c5b6dc2ad175e1e
                    • Instruction ID: 3562c0a716808c934ac8d13c11710cfa65038d29e13d6d1630a47638e082bb3c
                    • Opcode Fuzzy Hash: 262a3f9a3629654a666d745d061db0472794faffc9b407833c5b6dc2ad175e1e
                    • Instruction Fuzzy Hash: EB11A332A006188FCB05EBE9C491AEEB7B49F5C320F54013EE452B75C1DB786989CA64
                    Function 0225C43F Relevance: 2.8, Strings: 2, Instructions: 316COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID: @$@
                    • API String ID: 0-149943524
                    • Opcode ID: b85d9e46d916949732f18da11686c1293fb79fac9a8fa679e59ef6780a52040c
                    • Instruction ID: f9b08f4b1ef4b169d7e79b09692adbc8e50ab33cf5b190d740fac1c73a6323d6
                    • Opcode Fuzzy Hash: b85d9e46d916949732f18da11686c1293fb79fac9a8fa679e59ef6780a52040c
                    • Instruction Fuzzy Hash: 02D11A75218381DFD721CFA5C584AABBBF9AF88704F00492EF989D3651D730E909CB22
                    Function 058824B0 Relevance: 1.7, Strings: 1, Instructions: 479COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID: [RO] %ld bytes
                    • API String ID: 0-772938740
                    • Opcode ID: ef5a9a17417436e672f07fda0d3ac0e423f9d4c763340ea2ee6e9b790803e058
                    • Instruction ID: 65d6da7d2fef4982c9c82d84a1606c60066850d6d4bfe3cfa213f4deed145d8b
                    • Opcode Fuzzy Hash: ef5a9a17417436e672f07fda0d3ac0e423f9d4c763340ea2ee6e9b790803e058
                    • Instruction Fuzzy Hash: 322226B8A00B059FDB24DF69C584AAABBF2FF48304F148A6DD89AD7755D730E841CB50
                    Function 0588B41F Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 05887B60: GetCurrentProcess.KERNEL32(00000028,?), ref: 05887B79
                      • Part of subcall function 05887B60: OpenProcessToken.ADVAPI32(00000000), ref: 05887B80
                      • Part of subcall function 05887B60: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 05887BA6
                      • Part of subcall function 05887B60: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 05887BBC
                      • Part of subcall function 05887B60: GetLastError.KERNEL32 ref: 05887BC2
                      • Part of subcall function 05887B60: CloseHandle.KERNEL32(?), ref: 05887BD0
                    • ExitWindowsEx.USER32(00000006,00000000), ref: 0588B42D
                      • Part of subcall function 05887B60: CloseHandle.KERNEL32(?), ref: 05887BEB
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                    • String ID:
                    • API String ID: 681424410-0
                    • Opcode ID: 613a9f19f3b569c7ebce9a220ae9298fc4db48b835120cab0e938f0130ec8b79
                    • Instruction ID: 16536aeefd2ef56e96979692e6ba8317bb837a0ca7385a75918f9faab91f9ba3
                    • Opcode Fuzzy Hash: 613a9f19f3b569c7ebce9a220ae9298fc4db48b835120cab0e938f0130ec8b79
                    • Instruction Fuzzy Hash: 19C08C3674020802F22472AAB82AF7AB352DB84722F20002BAF0AC81C10C53A86041AB
                    Function 0588B443 Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 05887B60: GetCurrentProcess.KERNEL32(00000028,?), ref: 05887B79
                      • Part of subcall function 05887B60: OpenProcessToken.ADVAPI32(00000000), ref: 05887B80
                      • Part of subcall function 05887B60: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 05887BA6
                      • Part of subcall function 05887B60: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 05887BBC
                      • Part of subcall function 05887B60: GetLastError.KERNEL32 ref: 05887BC2
                      • Part of subcall function 05887B60: CloseHandle.KERNEL32(?), ref: 05887BD0
                    • ExitWindowsEx.USER32(00000005,00000000), ref: 0588B451
                      • Part of subcall function 05887B60: CloseHandle.KERNEL32(?), ref: 05887BEB
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                    • String ID:
                    • API String ID: 681424410-0
                    • Opcode ID: eebba360a0aa1312bd4395cb672a434746db998e304c3daab1cbe9fda3d8a772
                    • Instruction ID: afe113f89b0628cbdc194e182637018d7c75098d081c25cf69fe0dd86e15135c
                    • Opcode Fuzzy Hash: eebba360a0aa1312bd4395cb672a434746db998e304c3daab1cbe9fda3d8a772
                    • Instruction Fuzzy Hash: 2EC08C3674020802F22472AAB82AF7AB351DB84722F20002BAF1AC81C10C53A85001AB
                    Function 0588B3FB Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 05887B60: GetCurrentProcess.KERNEL32(00000028,?), ref: 05887B79
                      • Part of subcall function 05887B60: OpenProcessToken.ADVAPI32(00000000), ref: 05887B80
                      • Part of subcall function 05887B60: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 05887BA6
                      • Part of subcall function 05887B60: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 05887BBC
                      • Part of subcall function 05887B60: GetLastError.KERNEL32 ref: 05887BC2
                      • Part of subcall function 05887B60: CloseHandle.KERNEL32(?), ref: 05887BD0
                    • ExitWindowsEx.USER32(00000004,00000000), ref: 0588B409
                      • Part of subcall function 05887B60: CloseHandle.KERNEL32(?), ref: 05887BEB
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                    • String ID:
                    • API String ID: 681424410-0
                    • Opcode ID: dc403a160a2fd511c792cb4ef5d8f93e7287413a80976c625df8a599cdcb9666
                    • Instruction ID: 5950af5d105754fbc4361421813bf546588d4da0ce7a59eb01f1483dff31f43d
                    • Opcode Fuzzy Hash: dc403a160a2fd511c792cb4ef5d8f93e7287413a80976c625df8a599cdcb9666
                    • Instruction Fuzzy Hash: E7C08C3674020806F22473AAB82AF79B351DB84722F20002BAF0AC81C10C63A85001AF
                    Function 0226B716 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID: qrks
                    • API String ID: 0-3937875505
                    • Opcode ID: 57a642f6c229e5c535e38d64937fc43c72021c38463b5cca4f6e2843ee79803d
                    • Instruction ID: 9ecfd14366f6d088ffaad6bcf9f1a5ed6f7cac1f5b49c520730241b4c2bb48a0
                    • Opcode Fuzzy Hash: 57a642f6c229e5c535e38d64937fc43c72021c38463b5cca4f6e2843ee79803d
                    • Instruction Fuzzy Hash: 7681BE72218341ABD720CF95C984A6FBBE9EB88768F14492EFA48D3254D730D940CB92
                    Function 0041F443 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: 99d376bb96c326aaebeea3571a661e0eb4847d85884e0649f9d370338a0999fb
                    • Instruction ID: 02c0a4244e35deec81d91413a76c13fca448e812d584d98964a824e83c8fe653
                    • Opcode Fuzzy Hash: 99d376bb96c326aaebeea3571a661e0eb4847d85884e0649f9d370338a0999fb
                    • Instruction Fuzzy Hash: A3512471600A0466DB388D7D85557FF2796AB26308F58093BE8468B793C60DEDCF825E
                    Function 0041F672 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: 4120c7c201e1aae3e6d74086ad28fb4559a06e3d86e3daaf1359f0f4076d8628
                    • Instruction ID: 907e6acf196ad7f5bb32f45c96db215acfec8f90c604e3bb111b1bac785a2998
                    • Opcode Fuzzy Hash: 4120c7c201e1aae3e6d74086ad28fb4559a06e3d86e3daaf1359f0f4076d8628
                    • Instruction Fuzzy Hash: 7A5199722106455ADB38996885567FF27C99B42308F58083BE892CB3E2D61EDDCF835E
                    Function 022A90AF Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID: @
                    • API String ID: 0-2766056989
                    • Opcode ID: c7561d097c12d317b36081542386e631b2d0634a52866dae06d7b026f7ad4a9e
                    • Instruction ID: 1e26a200a810c4a752718c8f73ae747f24c754c12181164cbc42a829515c2a87
                    • Opcode Fuzzy Hash: c7561d097c12d317b36081542386e631b2d0634a52866dae06d7b026f7ad4a9e
                    • Instruction Fuzzy Hash: B7819C72951229EFCB219F95DD8CBA9BBB8FF48700F1000EAE509A65A0D7749BC1CF50
                    Function 0229C575 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID: (D#$
                    • API String ID: 0-2986077793
                    • Opcode ID: 7647ad8f0bd829f2b17a0d14d5e5a3b607031fd2c438767243e47b97203bcf90
                    • Instruction ID: c3769a8ff4a2a2f0913c8f1943f133846b0f549150ffc58964089dd5f51d5066
                    • Opcode Fuzzy Hash: 7647ad8f0bd829f2b17a0d14d5e5a3b607031fd2c438767243e47b97203bcf90
                    • Instruction Fuzzy Hash: 856159B7E503199BCB18DAB4CD8CAD9BBAAABC9300F20457BD405EB154DB709A41CF90
                    Function 022BF338 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID: @
                    • API String ID: 0-2766056989
                    • Opcode ID: 862e08d8d64e744cc47c13e798763f3a759917b7b3a03219bf9799cfd2386458
                    • Instruction ID: 70fdf806ff7666eec497d03b5f35940ed14bf465aa548ea2d68c4c03acc6250e
                    • Opcode Fuzzy Hash: 862e08d8d64e744cc47c13e798763f3a759917b7b3a03219bf9799cfd2386458
                    • Instruction Fuzzy Hash: C9714871A20219AFDB32CF64DD88BAAB7B9EF45354F1044A9F51AE7614DB30DA84CF10
                    Function 022BB495 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID: zdbf
                    • API String ID: 0-2567057744
                    • Opcode ID: 046a7d9e54495da309052f60e6c67f51d04b1c379253d54143c164cce17528d6
                    • Instruction ID: d9b44005989019f905c25bb2bf469722db9a123c655ddf21a943dce230ac3528
                    • Opcode Fuzzy Hash: 046a7d9e54495da309052f60e6c67f51d04b1c379253d54143c164cce17528d6
                    • Instruction Fuzzy Hash: B1410A71BA0301BBF7275AE58C41FEA766D9F507CCF144114BD41AB1D8D7A0AE018BA2
                    Function 022BE737 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID: zdbf
                    • API String ID: 0-2567057744
                    • Opcode ID: 5cbcaf253742308443275936c7f8166a56b001b1704efd10bff21da4e39597f2
                    • Instruction ID: 8be978429df1158b1127400ee7895cd7662240a0dafe0f05c92eb2d621b86403
                    • Opcode Fuzzy Hash: 5cbcaf253742308443275936c7f8166a56b001b1704efd10bff21da4e39597f2
                    • Instruction Fuzzy Hash: E3412932B20301EFEB129FD5C984FED7BB4AF80758F924165EA11BB695C7B09900CB91
                    Function 022907D6 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID: @
                    • API String ID: 0-2766056989
                    • Opcode ID: ce8be1afc00a9959cfe332b19a5803a05035d49366153e4f44881da82bbe5e70
                    • Instruction ID: daf98a2fce697328d93386c32bd6769032cfde3218fe08bad2e7d01d346525d9
                    • Opcode Fuzzy Hash: ce8be1afc00a9959cfe332b19a5803a05035d49366153e4f44881da82bbe5e70
                    • Instruction Fuzzy Hash: 50412C72D01229AFEB309B94DC48FDABA79AB44754F1045E6E90DE7240DB709E848FA0
                    Function 022BE609 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID: #
                    • API String ID: 0-1885708031
                    • Opcode ID: 03093f0fe357a286dc27a2bf7162e72be52dbf02bd2b991bca6e3d79cc72f15d
                    • Instruction ID: 2c9c86276a9298a267f28669cf02ff7de38418f383201e9fdbe1f808a00a798e
                    • Opcode Fuzzy Hash: 03093f0fe357a286dc27a2bf7162e72be52dbf02bd2b991bca6e3d79cc72f15d
                    • Instruction Fuzzy Hash: F441F376E20205EFCB18DFE8CC41AFEB7B5EF84340F514429EA05AB245E770AA01CB90
                    Function 0229C059 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID: (
                    • API String ID: 0-3887548279
                    • Opcode ID: 02f5e22cad23bcf07b7d0a9aa12e5a0f7f1e7ee0db637b1c424ab50fda3a3d27
                    • Instruction ID: cde3290f6b799405032802b7b6fd0721fa7e588f453e7913ef9d83338aad84ee
                    • Opcode Fuzzy Hash: 02f5e22cad23bcf07b7d0a9aa12e5a0f7f1e7ee0db637b1c424ab50fda3a3d27
                    • Instruction Fuzzy Hash: 0A41CCB1D102099FDF20CFDAD888B9EBBF4BB08354F60852AE459AB294D3749945CF64
                    Function 022977D0 Relevance: .9, Instructions: 891COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3529df317ed5255799b7db25904c2f42fe6c05ffd3732993d5c7905e331e9fab
                    • Instruction ID: 599e55c2077d9fb3670c052b3d0a70f2961585c8654c3798d9a31018b3fe075d
                    • Opcode Fuzzy Hash: 3529df317ed5255799b7db25904c2f42fe6c05ffd3732993d5c7905e331e9fab
                    • Instruction Fuzzy Hash: F4822CB4E202068FDF28CF99C490ABAB7F2FF88304F18856DD94597648E775EA51CB50
                    Function 00474B12 Relevance: .6, Instructions: 641COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3e280eb3d370ae67ade181f49e25fca8c975c6bba6192fc65036a3ef21be17bb
                    • Instruction ID: 8c0315d0299a5bc2396010effb170a95a42d5226f205b6f4970e21d627b98f78
                    • Opcode Fuzzy Hash: 3e280eb3d370ae67ade181f49e25fca8c975c6bba6192fc65036a3ef21be17bb
                    • Instruction Fuzzy Hash: 4B321AB7F507299BCB14CED5DCC05CDB3B2BF98214B1E9165C914F7306E6B8AA068B90
                    Function 0042BAB9 Relevance: .6, Instructions: 637COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aa5f8f3954fae5afff5fbcd55f0afed162239bf7f7a9cef1e12d6104c68de0c8
                    • Instruction ID: a3dc61098e4a602e7fd85f391760a5b31dd480b710b24ca4e95ed93bea0538d9
                    • Opcode Fuzzy Hash: aa5f8f3954fae5afff5fbcd55f0afed162239bf7f7a9cef1e12d6104c68de0c8
                    • Instruction Fuzzy Hash: 38322525E28F514DD7239634EC7233AA248AFB73C4F55D737E81AB5AA6EF28D4834104
                    Function 00474B28 Relevance: .6, Instructions: 632COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f933a730031b89d025ea583653a8a3e0c86aae27f30676c2f9e3e185c12f5a78
                    • Instruction ID: 83bf5f387bc5a8af9e1bcfa9b32cb766921cf783b9cf001f77986e91e9a92805
                    • Opcode Fuzzy Hash: f933a730031b89d025ea583653a8a3e0c86aae27f30676c2f9e3e185c12f5a78
                    • Instruction Fuzzy Hash: 68321AB7F507299BCB14CED5DCC05CDB3B2BB98214B1E9165C914F7306E6B8AE068B90
                    Function 00474B4C Relevance: .6, Instructions: 620COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0fd93fc5de68bc5a207da332796e7894f3e78f288a864ca2d723b33996c89695
                    • Instruction ID: 09c34d351c6364289e2b38e119607028f155935569b9dac664183becf782e57a
                    • Opcode Fuzzy Hash: 0fd93fc5de68bc5a207da332796e7894f3e78f288a864ca2d723b33996c89695
                    • Instruction Fuzzy Hash: 75321AB7F507299FCB14CED5DCC05CDB3B2BB98214B1E9165C914F7306E6B8AA068B90
                    Function 058888F0 Relevance: .6, Instructions: 608COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0de34ec9fda15d8b33ad715ce4cc2a5e0d48e4865fa5bbc03b41a52fb609f80d
                    • Instruction ID: 91f6de57689744248833a8cdc14d4f17009033d24d97607c33cf5f65305dd7ff
                    • Opcode Fuzzy Hash: 0de34ec9fda15d8b33ad715ce4cc2a5e0d48e4865fa5bbc03b41a52fb609f80d
                    • Instruction Fuzzy Hash: DA225277E5151A8BDB08CA99CC515D9B3E3BBC8314B1F9129C819E3305EE79BA478BC0
                    Function 022AB4E7 Relevance: .5, Instructions: 514COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ea324f6567ebc8026bd82ad39bcdc46a436b72a23d3686b6a218df958b3268d4
                    • Instruction ID: cd5540e7b5c30db7c005b1e1b0d90867f89b2650ec295a96768b9a60dc4d0912
                    • Opcode Fuzzy Hash: ea324f6567ebc8026bd82ad39bcdc46a436b72a23d3686b6a218df958b3268d4
                    • Instruction Fuzzy Hash: 5302B132E102169FCB21DFE4CC64BAEB7B9EF54708F154569EA02EB618DB349D05CB50
                    Function 00473E86 Relevance: .4, Instructions: 429COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fae3e4a251c3bde6055d4efdc263bb3bb2500922ce25f6367c7fbff57ddeebb2
                    • Instruction ID: 2423609f72499d1b0fba43594f5e86935366f2f64d2dae569907490906d47a15
                    • Opcode Fuzzy Hash: fae3e4a251c3bde6055d4efdc263bb3bb2500922ce25f6367c7fbff57ddeebb2
                    • Instruction Fuzzy Hash: 7702A737D106618FDB40CFADDC8414AB7A2AF99201B6EC6B9CA4867316C630FE16C7D4
                    Function 00473EE2 Relevance: .4, Instructions: 388COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b7a01516143f0c8ebd1aec0a8eea070a511b7d56e9bdc7f00ba61e77b8706f5e
                    • Instruction ID: 632e1591b3a63b9037bc199762dab50237b794ee1803eef00e2a3a899220cf5d
                    • Opcode Fuzzy Hash: b7a01516143f0c8ebd1aec0a8eea070a511b7d56e9bdc7f00ba61e77b8706f5e
                    • Instruction Fuzzy Hash: 95F19633D10A618BDB40CFADDC84549B7A6BF99201B6EC2B5CA4867316C630FE56C7E4
                    Function 00473EEF Relevance: .4, Instructions: 385COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 53427924ad177fac11ea59575be53a7c49b9e32924fb5bb0862538933f992cff
                    • Instruction ID: 1cd008c9eba433c83685eb3f1f5792664c17ad0274dfd328c600bc36a8826d90
                    • Opcode Fuzzy Hash: 53427924ad177fac11ea59575be53a7c49b9e32924fb5bb0862538933f992cff
                    • Instruction Fuzzy Hash: D4F19633D10A618BDB40CFADDC80549B7A6AF89201B6EC2B5CA4867316C630FE56CBD4
                    Function 00473EFD Relevance: .4, Instructions: 380COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aade63ed24d42035ad63bcf9ea19e7485abc3783a744a6dada0b56957000d99f
                    • Instruction ID: 9b5a724d8892a7f47028d12a84e492cd12a24cb0be2888d6715f81049c7659d3
                    • Opcode Fuzzy Hash: aade63ed24d42035ad63bcf9ea19e7485abc3783a744a6dada0b56957000d99f
                    • Instruction Fuzzy Hash: 04F19533D10A618BDB40CFADDC84549B7A2BF99201B6EC2B5CA4867316C630FE56CBD4
                    Function 022A2771 Relevance: .4, Instructions: 356COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6d03e9b99d0dc6f6e31d1dd635d4f5f23e9c69ccf3da5e177c1b4f28a7e20576
                    • Instruction ID: 70aaacc530ddb117f344a5e0cc9cb93a150ead045dc1d70fc8cef11c7f06b689
                    • Opcode Fuzzy Hash: 6d03e9b99d0dc6f6e31d1dd635d4f5f23e9c69ccf3da5e177c1b4f28a7e20576
                    • Instruction Fuzzy Hash: 48E137B1D2162ACFDB28CF99D8906ADBBB1FF48700F15825AEC05AB709D3749841CF94
                    Function 0041C9D3 Relevance: .3, Instructions: 345COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction ID: bfba0a5441aed94af7dac59f40aff5ba4e9ee9f8f9afaf612e1993249f304e04
                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction Fuzzy Hash: 4EC198322450A30ADB5D463989B41BFBBE15E917B131A07AFD4B3CB2C4FE18D5A8D528
                    Function 0041CE08 Relevance: .3, Instructions: 341COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction ID: de16a12a486f2118c9cbd1cbfc846da3162c8d19807b39e84e397826ce870f87
                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction Fuzzy Hash: A7C10A722451A30ADF6D4639C97017FBBE25A927B131A079FD4B3CB2C4FE18D5A8C528
                    Function 0041C59E Relevance: .3, Instructions: 331COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                    • Instruction ID: 10f74dd4704439bb90d9f9a713546d39eaefaa697b2f891d5f124c22fdfd8b9a
                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                    • Instruction Fuzzy Hash: 3EC1C8322451630ADF5D46398DB41BFBBE15EA17B131A079FD4B2CB2C0FE18D5A8D628
                    Function 0041C186 Relevance: .3, Instructions: 323COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction ID: c97b6d5c82451b633948e46dba8c5df9d0402a5f97bad7db6287073dce9db566
                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction Fuzzy Hash: 8BC1CA322851630ADF6D4639C9B41BFBBE15A917B131A079FD4B3CB2C4FE28D5A8C524
                    Function 022B24A4 Relevance: .3, Instructions: 271COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 01b47afef41298447906048b67300f2f0ec74bb9691d39088929b4ed65596c59
                    • Instruction ID: 94105cc19c11ce371473bf7de93381e8e79eafcd032c7381ca7076acce5dd639
                    • Opcode Fuzzy Hash: 01b47afef41298447906048b67300f2f0ec74bb9691d39088929b4ed65596c59
                    • Instruction Fuzzy Hash: 98A18C72928352DBC321DF64C884A9BBBE9AF88794F114A2DFD94A7354D770DC04CB92
                    Function 004294C2 Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c917e57ed030578cd7a1b77a4366148b9eaf0899cc1085d6cd8b2473a5544e8f
                    • Instruction ID: 768a920e9d7e8fd07f8bcc844dd577ebb4d77bb15d979ba192a71138864f8639
                    • Opcode Fuzzy Hash: c917e57ed030578cd7a1b77a4366148b9eaf0899cc1085d6cd8b2473a5544e8f
                    • Instruction Fuzzy Hash: 72B18C32220618DFD719CF28D48AB657BE0FF45364F698659E899CF2A1C339DD82CB44
                    Function 0228F4CF Relevance: .2, Instructions: 235COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6f46978247d9adcac699208e9905aa961fcf73298a2c94a6897231f903b1fed6
                    • Instruction ID: c4e5d103a27f085af8c33eaddf1a7b3472dfbe191ac0a3129e582d1db2da7225
                    • Opcode Fuzzy Hash: 6f46978247d9adcac699208e9905aa961fcf73298a2c94a6897231f903b1fed6
                    • Instruction Fuzzy Hash: 3691A63191121A9BDF21EF94DE88FEA77B9EF44714F5001A9E819935A4DB30DE81CF50
                    Function 022BE1CE Relevance: .2, Instructions: 234COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b1d3802dc5f6050e51e6408200d343b399cf251e139224c8cca2ddb6ae646417
                    • Instruction ID: 58bac6026083cc343af621a8a37133c64aba5725322b0bb826dc493bff3e181a
                    • Opcode Fuzzy Hash: b1d3802dc5f6050e51e6408200d343b399cf251e139224c8cca2ddb6ae646417
                    • Instruction Fuzzy Hash: 9E71E371A20305AEEB16AAD4CC45FFE7779AF48744F814165FD01EF288E770AA41C751
                    Function 022AA728 Relevance: .2, Instructions: 217COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 196ebf6781e0f74c87b8deda6e7e85fc626370453615e591f92526e88ebc37d0
                    • Instruction ID: 6f87a288df769381c7d1ea56bcedc8f38b0d9736ad169c1d2117b73189137cd9
                    • Opcode Fuzzy Hash: 196ebf6781e0f74c87b8deda6e7e85fc626370453615e591f92526e88ebc37d0
                    • Instruction Fuzzy Hash: 5691B371A107068FDB24CFA9C868BA6B7F5FF48304F1085A9E44A97A55DB70E981CF50
                    Function 0228C66F Relevance: .2, Instructions: 204COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f7f4ff5b70e6a80c91a2defd0196956126a12cd39a6851b3bc32253beffbddc0
                    • Instruction ID: fbc147795ce7f34de660e5b0e6701508e38fe6e6cc1785e58f516a24c860704b
                    • Opcode Fuzzy Hash: f7f4ff5b70e6a80c91a2defd0196956126a12cd39a6851b3bc32253beffbddc0
                    • Instruction Fuzzy Hash: 8C61C571A66302DBD739EF94D884BAB73E9AF88754F04492EF945972C4D770D800CBA2
                    Function 022BD3CF Relevance: .2, Instructions: 194COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7a475ee063dbde626e5ffc176d1c3060cf5d5c3c3077ed866ce00537f5da2d70
                    • Instruction ID: 0273cd6afb16e2a9c5d76ac2da7c465c3232f173cdd8de0b091f4dd4da858625
                    • Opcode Fuzzy Hash: 7a475ee063dbde626e5ffc176d1c3060cf5d5c3c3077ed866ce00537f5da2d70
                    • Instruction Fuzzy Hash: B661A2706183019FD719DFA4C880BEAB7E6AFC8788F04492DF99997294DB70D905CF92
                    Function 0228B5B6 Relevance: .2, Instructions: 181COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 087820a5acb7b835954214386905632c9a9a341cf7519a7727dae5575129ead0
                    • Instruction ID: ced094d0886dc5619fee98700ce8f9140fa2ef6861cbc13b1cf9aa1c3ec0a64a
                    • Opcode Fuzzy Hash: 087820a5acb7b835954214386905632c9a9a341cf7519a7727dae5575129ead0
                    • Instruction Fuzzy Hash: 5C513B36A11212DBCB25FF98C8406BAB3B6FF8570CB19856DD802DB698E731F952C750
                    Function 022B6653 Relevance: .2, Instructions: 172COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9987cd5d478fa0632211cc876655512a5c5347b105626eeb42cf4429e761381f
                    • Instruction ID: 35a5d2f2b2fadbcb94507282c3559dcff10233b883b8b476d9f8510f3139965b
                    • Opcode Fuzzy Hash: 9987cd5d478fa0632211cc876655512a5c5347b105626eeb42cf4429e761381f
                    • Instruction Fuzzy Hash: F751F771E60315ABEB229AD4CC44FFE7AACEF44794F440125F905AB285D760EC058BA1
                    Function 022AB22E Relevance: .2, Instructions: 162COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 54a31eb55702faf0babc0482721ecbd77552fe7dba4ac65ded4f4fa3ab0d7552
                    • Instruction ID: a3f57a276014efe9d3447e20543f7133c19bdbe1c60cdfc695d4927295892d7d
                    • Opcode Fuzzy Hash: 54a31eb55702faf0babc0482721ecbd77552fe7dba4ac65ded4f4fa3ab0d7552
                    • Instruction Fuzzy Hash: 7151A2B1A102199FDB208FA4DC98B9A77BCEB55708F0040F9A708E2145EB719E84CF25
                    Function 0229E78F Relevance: .2, Instructions: 152COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3d8102ffba6620f3d05ee683c1f68ddb6f7afb391b27629e07e1e710b3b354f0
                    • Instruction ID: 3885dd0bc7f06559235f1506dff24c4a16e5849391a8cd1008bf1e0cb476a7cd
                    • Opcode Fuzzy Hash: 3d8102ffba6620f3d05ee683c1f68ddb6f7afb391b27629e07e1e710b3b354f0
                    • Instruction Fuzzy Hash: 79518B32A20206EFEF24DFE8D984BAE77A8FF05704F52046AE901E7258D7709E10DB50
                    Function 0228F2FF Relevance: .1, Instructions: 147COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9e163f70c640ef50be3c7ca8aac462640ee482594af5c854eb4bb1a0c0a1e885
                    • Instruction ID: 0e90f0c5a86b31c726a290241eae37686cd16f1b55d34b1d2c397aa647f96efc
                    • Opcode Fuzzy Hash: 9e163f70c640ef50be3c7ca8aac462640ee482594af5c854eb4bb1a0c0a1e885
                    • Instruction Fuzzy Hash: A551C132A2225A9BDF25AED0CE84BAB37B5FB44300F504569EE05DA584DB74D9908F90
                    Function 0228F07F Relevance: .1, Instructions: 146COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9bec6633f354452050b71d4758241678f18fbfcbca50cbf4bbd5fd6f9ff94fea
                    • Instruction ID: a988b5990fb69c5db0e02b8afbb4feb9387808ade0b79a5a85b07d8f0ca5de40
                    • Opcode Fuzzy Hash: 9bec6633f354452050b71d4758241678f18fbfcbca50cbf4bbd5fd6f9ff94fea
                    • Instruction Fuzzy Hash: 39512676A5121AABCB21AFD0DE48FAA7779EF04744F540060F905E35A8DBB0DE51CF90
                    Function 022B964D Relevance: .1, Instructions: 146COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 70dfcd25373fbe48fcb67dd6a6333b2422532f85c6eff56ad0d9fd50a6e63fd5
                    • Instruction ID: f5dfc72073a10ea744ca7905a1dc0cc7c4e4db48d3fde1696e669ce3d86be50c
                    • Opcode Fuzzy Hash: 70dfcd25373fbe48fcb67dd6a6333b2422532f85c6eff56ad0d9fd50a6e63fd5
                    • Instruction Fuzzy Hash: 50414EB5A202159BD7119FE4C880BFDB7F5EF85754F114829FA45DB688E770A980CB10
                    Function 0228A777 Relevance: .1, Instructions: 146COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 963b965448a7b7d4e17c489dc0e60618229a6113bb16489ebe398dbe8f7b6b31
                    • Instruction ID: b1cafe0fd8c7e4526e67cfcd245ee7bb87b5fd92fc84e18f36b65d083aa92484
                    • Opcode Fuzzy Hash: 963b965448a7b7d4e17c489dc0e60618229a6113bb16489ebe398dbe8f7b6b31
                    • Instruction Fuzzy Hash: E1512731911602DFC721EFA8D844B6AB7F4FF48710B15456AE946DB3A4D730ED12DBA0
                    Function 0228C43F Relevance: .1, Instructions: 146COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c3a4e6a00cdd249f5116b710f6dd6c2088cfaa07171c3f099afed1a74a41d72e
                    • Instruction ID: c50ff6313981b1a4b1ee62ff5f013e4cdc30b22e585c6e14cf0877fb60eb04e3
                    • Opcode Fuzzy Hash: c3a4e6a00cdd249f5116b710f6dd6c2088cfaa07171c3f099afed1a74a41d72e
                    • Instruction Fuzzy Hash: 5E41E532A62605ABCB25BFE4DC04F7F77BAEF84744F104426E40296298DB74D991CFA0
                    Function 022BF0CC Relevance: .1, Instructions: 143COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: deac3a7aa5db223708d1eadeadb2405594cc214f0fda2ad23f5d8abc9dc1067e
                    • Instruction ID: 427f1371114338dad5e274b21947de7ce9138e60733a09aba20094da0f0e875a
                    • Opcode Fuzzy Hash: deac3a7aa5db223708d1eadeadb2405594cc214f0fda2ad23f5d8abc9dc1067e
                    • Instruction Fuzzy Hash: D4414A369202028BC7379FE4DE99BBB7765EF81794B09083CFD0587A19D760CC05C691
                    Function 022A663F Relevance: .1, Instructions: 142COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7fb4fc6293664cc79c2bcc6dd51300d3cac13dd791027c0f3e0523e548fb8d1d
                    • Instruction ID: d51d9fb0c23b9899628a2ad49b415e9a733dc0083773fdb8c182ae4e9e001d1f
                    • Opcode Fuzzy Hash: 7fb4fc6293664cc79c2bcc6dd51300d3cac13dd791027c0f3e0523e548fb8d1d
                    • Instruction Fuzzy Hash: C8517B71A283029FCB10CFA9D884A6AB7E9FF88744F08493EF588D3654E734D904CB95
                    Function 0229D16C Relevance: .1, Instructions: 139COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eda8c44647c7736df40ad64d6cbc144f2353cd61760eabaa220dbb4315865868
                    • Instruction ID: cdf41528b0aa463d74de33706ac2d155486af6aaaec6b3c440446276640bad69
                    • Opcode Fuzzy Hash: eda8c44647c7736df40ad64d6cbc144f2353cd61760eabaa220dbb4315865868
                    • Instruction Fuzzy Hash: B751C071A2021ACBDF24EF95C884BA6B7B8FF55304F1441AAD815CB269D770DD80DFA0
                    Function 0228D374 Relevance: .1, Instructions: 137COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 69f8c609156f1e8e4c293fbf3c2195ba934371703a58fb947dc69676208f7862
                    • Instruction ID: 770a2fb18d8ef08ee7ab27ceae055f5642bb554386fad1f284ed7358c0ef1b3f
                    • Opcode Fuzzy Hash: 69f8c609156f1e8e4c293fbf3c2195ba934371703a58fb947dc69676208f7862
                    • Instruction Fuzzy Hash: 8A41F632A22216DBDF19EEE9C480BAE77B1EF44354F154064E906A72D9C770FD49CB90
                    Function 0228F7FF Relevance: .1, Instructions: 132COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e25e9740fedc8f462874a3066d16dbad7d4e5a205b3339e12afe4eb9dbfad79
                    • Instruction ID: 97dac938a1d35f706f186d27b4689603615b2cbfb2847ffe4181962426fd2d14
                    • Opcode Fuzzy Hash: 2e25e9740fedc8f462874a3066d16dbad7d4e5a205b3339e12afe4eb9dbfad79
                    • Instruction Fuzzy Hash: B4419F3295121AAFCB31AF94DE88FAA7779EF48740F6001A4F519A7590DB30DE90CF50
                    Function 0227D13F Relevance: .1, Instructions: 129COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4fda73d4e7ad2fbeb13dbe4fcd9606809b57420475522caa32e0906feec4a2db
                    • Instruction ID: db9e438b4e5b51751e18e10f85e7d7bdd2bd360457bfbfb69c04bfa50e1c9477
                    • Opcode Fuzzy Hash: 4fda73d4e7ad2fbeb13dbe4fcd9606809b57420475522caa32e0906feec4a2db
                    • Instruction Fuzzy Hash: A7419D7295410AAFDB129FE8ED48FBA7BB9EF08398F100464F905A7215D770DE11CBA0
                    Function 022A7720 Relevance: .1, Instructions: 127COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 85217f68118fbbe87232c9a55fe66d5e2a598df6d56db49f229fca550b1bfdfa
                    • Instruction ID: bf4b12ba8888d9d463787ff11b05c5ae60c090f8a76f51a2d65c34410b7ff06e
                    • Opcode Fuzzy Hash: 85217f68118fbbe87232c9a55fe66d5e2a598df6d56db49f229fca550b1bfdfa
                    • Instruction Fuzzy Hash: 4841D032A50204ABDB209FA8EC49FBEB7B9EF48710F108429F502E76D0DB749954CB64
                    Function 02298273 Relevance: .1, Instructions: 117COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 794eb77bff6e7dec0d31ab9a4303f3c9b84eaa28ad7808e3fc4ba212f3be0c7b
                    • Instruction ID: 42445b2faadf9d26d2437d91d3d2f9fca7a0dcdffd547f4d7800802429e83f88
                    • Opcode Fuzzy Hash: 794eb77bff6e7dec0d31ab9a4303f3c9b84eaa28ad7808e3fc4ba212f3be0c7b
                    • Instruction Fuzzy Hash: E2417731A10616EFCF10DFA9C584BADB7B5BF46310F184569E906EB688DB70F911CB82
                    Function 022631DF Relevance: .1, Instructions: 117COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: abded4771b6031ee57294abb508489df74ca318cc17edde8521ee8e6e9c18d79
                    • Instruction ID: fd0706bf9980d8501b224ab4b0348d1e3a74d6d69bdd76b52eb5f797a914a8b8
                    • Opcode Fuzzy Hash: abded4771b6031ee57294abb508489df74ca318cc17edde8521ee8e6e9c18d79
                    • Instruction Fuzzy Hash: 51411B33B35A028BD764DAEAC885BBA73DBAB80354F15413CE55AC7188DFB4D841CA50
                    Function 022B52E7 Relevance: .1, Instructions: 116COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d6156543293a82763002026542bf55d9ed819705df047e12cbcb225bfb5db716
                    • Instruction ID: 06f9214e38d95f725d0870e31833e81266b31de9247d8dc70a9eb5c83f08b069
                    • Opcode Fuzzy Hash: d6156543293a82763002026542bf55d9ed819705df047e12cbcb225bfb5db716
                    • Instruction Fuzzy Hash: F3410335A10602EFCB16DFA8C5849ADF7B1FF48741B908668E942AB354D770EE61CB90
                    Function 022BB728 Relevance: .1, Instructions: 114COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f2662be0e8cc344bc132d417fcf367fadfa9133dc486eb0013a0d838198c8dc9
                    • Instruction ID: 643f56d8d291fd78b4d41b761dec41efbabd9e455281839ad2eb44406516e517
                    • Opcode Fuzzy Hash: f2662be0e8cc344bc132d417fcf367fadfa9133dc486eb0013a0d838198c8dc9
                    • Instruction Fuzzy Hash: 59316D77E502026FDB266AA88C41BFB77A4DF80788F944565ED42DB288F770D941C690
                    Function 022BA327 Relevance: .1, Instructions: 103COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d406993f55c7ef08342ffd042e25dec69980d85511349b179d8cbba93a9ad87a
                    • Instruction ID: 8b6f1435957e718142c01dc9b9c906d75bc993e779e47e4e23eeb98cc5186778
                    • Opcode Fuzzy Hash: d406993f55c7ef08342ffd042e25dec69980d85511349b179d8cbba93a9ad87a
                    • Instruction Fuzzy Hash: B731C171A60301AFEB16AFD0DD89FEA3A75EF55744F000169ED069F285EB70A940CB61
                    Function 0225C2ED Relevance: .1, Instructions: 102COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b4d7025fef4849f8ff415a35af87926eae07488910a6973fbba29a021f713cbd
                    • Instruction ID: 3ddd7a06e2e561231da488139c7645bb1d0a66024f786618e9e87b351ca142f7
                    • Opcode Fuzzy Hash: b4d7025fef4849f8ff415a35af87926eae07488910a6973fbba29a021f713cbd
                    • Instruction Fuzzy Hash: E341A271A0060AFFDB14CFA4DC45ABABBB8FF88324F148226E550A6590E770F954CF94
                    Function 022A335F Relevance: .1, Instructions: 101COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9f786d53b96cf543c0da45b04409b81f7d9723b14727ed4b66d27499145069a6
                    • Instruction ID: 3e900a4c3a926d6d8ab06bb00c36b77b1d0586c599bb856feb9f67f9fe6873c3
                    • Opcode Fuzzy Hash: 9f786d53b96cf543c0da45b04409b81f7d9723b14727ed4b66d27499145069a6
                    • Instruction Fuzzy Hash: 7A315935A6026A9FDB12DFA4CC58BEABBB5EF44300F1041EAE415DB301D634DA41DF90
                    Function 022B1636 Relevance: .1, Instructions: 100COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: df1df39e2bebeee3c5990b18d9ea2743062983eb8510dfe3053bdb42453713e5
                    • Instruction ID: e97fe1f44b37deede2211c35d94213a8b16cac77f868056170a84d9d09d28e64
                    • Opcode Fuzzy Hash: df1df39e2bebeee3c5990b18d9ea2743062983eb8510dfe3053bdb42453713e5
                    • Instruction Fuzzy Hash: 70312637A20215ABCB264BE98890BFEB3B99F44780F094066F909DB298E374CD52D750
                    Function 022A320F Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 50a5efa3060b4b53363ed3a5ec149a45cdc6ff27475a0e26eeafcd2225f2c22a
                    • Instruction ID: 5d4a7662256fec618dd7698b215012c0fa5b037b648f2be48ea92237d7ddd72b
                    • Opcode Fuzzy Hash: 50a5efa3060b4b53363ed3a5ec149a45cdc6ff27475a0e26eeafcd2225f2c22a
                    • Instruction Fuzzy Hash: 6D316B319142999FDB16CFA4CC25BEABBB5EF59700F1440E9E5459B301C674DE81CFA0
                    Function 022862CD Relevance: .1, Instructions: 98COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1d8aabd9824af911f0f6843beb94f92ee6712232089d8eeabb3d43353f5ddebb
                    • Instruction ID: f8ed06bc3e02555045deda2f055974af9807dbc2cc80b202ca6159ba6dd66333
                    • Opcode Fuzzy Hash: 1d8aabd9824af911f0f6843beb94f92ee6712232089d8eeabb3d43353f5ddebb
                    • Instruction Fuzzy Hash: D331D2329512899FDB219FD4D848BBDBBB9EB45B01F110024FA11AF298DB71DD05CB50
                    Function 0228D65F Relevance: .1, Instructions: 94COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e99e1fea245ecce04fc90c6792965e0789fbd7a187ff16b7a58cf956950c3ed5
                    • Instruction ID: a9a79185205b97848300777b89cc4a7f01e0132bd5a76b2a428613eee766c736
                    • Opcode Fuzzy Hash: e99e1fea245ecce04fc90c6792965e0789fbd7a187ff16b7a58cf956950c3ed5
                    • Instruction Fuzzy Hash: 7031D1327327068BD724AAF9C4D5BFA7396AB80318F14453CE95A872D8DB70E849CA00
                    Function 0227C6EF Relevance: .1, Instructions: 94COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fbdbd8233d625329cd7b7c133334437a7edbe0e4c3d46418f8a2e95544afdc82
                    • Instruction ID: 80bfaca5ca26508dd3d4f41093ec7e869ade8df2c3470e501cefeeb1d7c4ca80
                    • Opcode Fuzzy Hash: fbdbd8233d625329cd7b7c133334437a7edbe0e4c3d46418f8a2e95544afdc82
                    • Instruction Fuzzy Hash: D6214B366545019FCB256FF4EC48ABB372DEB85704F144479ED038A688DB719A12CB90
                    Function 0229C234 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0b2bf9dc7f1c4bf9877c3c1921bdd70162001c3bd7e526d856a6a63f21ad7cbd
                    • Instruction ID: fe7d7f696090bc757868ac8849bb355bb41ccf26966305a90ee4ae1c224c68f6
                    • Opcode Fuzzy Hash: 0b2bf9dc7f1c4bf9877c3c1921bdd70162001c3bd7e526d856a6a63f21ad7cbd
                    • Instruction Fuzzy Hash: 56317F72E10209BBDF15DFD4C984AEEB779FF48744F14406AE905AB280D7B0AE01CB94
                    Function 0229E251 Relevance: .1, Instructions: 89COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dc24746e330c1ee392ffac7cec778b076be563c8e5b99073746c94348b4c3142
                    • Instruction ID: 06f1954b7a38fea13756390da1e26201e1e3d4d85f124a3da123fcf46abf7709
                    • Opcode Fuzzy Hash: dc24746e330c1ee392ffac7cec778b076be563c8e5b99073746c94348b4c3142
                    • Instruction Fuzzy Hash: 5B217C31A10119EFDB11DBD8D884EBE77BAEF89744F15446AE801D7214D7709E018B90
                    Function 0229D3EF Relevance: .1, Instructions: 89COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8535681259abb8165d096f7b6948bf6d76ed7dcd137faa35c9405c31d82c169c
                    • Instruction ID: db449c1c90e5b72e868471929a8afe98859738279ef11f773ac740824455f292
                    • Opcode Fuzzy Hash: 8535681259abb8165d096f7b6948bf6d76ed7dcd137faa35c9405c31d82c169c
                    • Instruction Fuzzy Hash: E031D67191020AEFDB159FD4D888BA9BFB4EF06358F248069E905A7354C371AD51DBA0
                    Function 0229C320 Relevance: .1, Instructions: 82COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d64eacf76a5c4eeb8673f6f6ca776395137716c17c900156a4b20c8a7e358f4c
                    • Instruction ID: cfbfa39b8baae990fa84921ad573707d32171f8b29bacab2aa1970b9ae541f19
                    • Opcode Fuzzy Hash: d64eacf76a5c4eeb8673f6f6ca776395137716c17c900156a4b20c8a7e358f4c
                    • Instruction Fuzzy Hash: E3218E76A10209EFDF119F9ADD44EAEBBB9EF8C740B10406AF901D7250D770AD10DB64
                    Function 022B57A2 Relevance: .1, Instructions: 82COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d44a11b4da4f1cbca184a9f82ad5db3012a76f5283d0e1e854b6adf08bca2fa9
                    • Instruction ID: fa090517a3ea533a0778a9260886862a3c3cb6d2af8a679121ae712e130bb1bb
                    • Opcode Fuzzy Hash: d44a11b4da4f1cbca184a9f82ad5db3012a76f5283d0e1e854b6adf08bca2fa9
                    • Instruction Fuzzy Hash: A02137736506A1BED7224B958C00F72BBA9AF89B51F054141FAACDE181D758E921C7B0
                    Function 022BF262 Relevance: .1, Instructions: 81COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 79b84055f01c1a4be046f2f039573f8100b8500cbd126683d821706295a8a6e2
                    • Instruction ID: bc3d79f802d1a4b12dca1019315ba4586091d72cbb80fe4dbf4afd021b6c9ed1
                    • Opcode Fuzzy Hash: 79b84055f01c1a4be046f2f039573f8100b8500cbd126683d821706295a8a6e2
                    • Instruction Fuzzy Hash: BE213B36F20241ABD75F9AE88F589BA76B9EFC8384B658064F901D7B18D760CD01C790
                    Function 0229E173 Relevance: .1, Instructions: 79COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b4ce733b8f8b2b728b565313e004e8b6c284edbab3c67ca465076b0bdcc65dc8
                    • Instruction ID: b969cab774fa85c341d9d73675a0d0548d503fbbdd80b2050026b2c5ee3a4d51
                    • Opcode Fuzzy Hash: b4ce733b8f8b2b728b565313e004e8b6c284edbab3c67ca465076b0bdcc65dc8
                    • Instruction Fuzzy Hash: F6210836A10502AFDF2DDBD8EC88A7B77B8EB84214755417EE80683258DBB1AD05CB90
                    Function 0041AD20 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction ID: 82f9cf29eb5eb6055701d1debb7c2db5643375262d7fc3bd9dde121dc2856cc8
                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                    • Instruction Fuzzy Hash: 2B117B77203D4143D618863DF4B45F7A397EAC632372C436BD0424BF18C22A98E5960A
                    Function 02283030 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7f74744f57767e2dca1a7f6e41b95584ddd8c11fc6858ec6658088a0ac4349c6
                    • Instruction ID: e5ed5ba495d01b58ca0cb7d98925e53d367218443ecd655c7bad7f4878ba47e2
                    • Opcode Fuzzy Hash: 7f74744f57767e2dca1a7f6e41b95584ddd8c11fc6858ec6658088a0ac4349c6
                    • Instruction Fuzzy Hash: 43313671D52129DBCF35EFA4D94CBA9B7B9BB04B05F4904E4E109A21A0CB38DE94CF50
                    Function 022BF5B5 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ee6665dd743d6be52f3570f84665562bdba873f4a65df0fbb96cc0d52ab4935c
                    • Instruction ID: 071880a0581716d4d96614661fa2d1ab6fb1342683def45b1c6ab0b15bb3eeea
                    • Opcode Fuzzy Hash: ee6665dd743d6be52f3570f84665562bdba873f4a65df0fbb96cc0d52ab4935c
                    • Instruction Fuzzy Hash: 82219A32980550FFC7229FE9EE0CE9A7F79EF89B80F210465F60592560C7318A11DBA0
                    Function 0228B42C Relevance: .1, Instructions: 74COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 25e7735e38a6694586937aa1881eaf6e9265350ef1fbf3b33003c08c0875e173
                    • Instruction ID: 0cc181be1f4d44864ec32f186e289121880da55364404a32e3da7cce1ee80c2a
                    • Opcode Fuzzy Hash: 25e7735e38a6694586937aa1881eaf6e9265350ef1fbf3b33003c08c0875e173
                    • Instruction Fuzzy Hash: F6212672E51140ABDB21ABE8DD55F6E7B79DF84788F140028F901E7284C730DD01CB90
                    Function 0229E6DF Relevance: .1, Instructions: 71COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a032f5bd014b594f9eaf88cee926615108a92047c3cb65526b15193387ca67df
                    • Instruction ID: be8a7cca4fd536c8eccb56160c7e984afee0f5adcccf582b17448b5fddec6964
                    • Opcode Fuzzy Hash: a032f5bd014b594f9eaf88cee926615108a92047c3cb65526b15193387ca67df
                    • Instruction Fuzzy Hash: 5111E2722A1656AFDF22CFD4EC88FF73B6DEB45790B120426F60586118DB729C11CBA1
                    Function 022B507B Relevance: .1, Instructions: 69COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 27d65664916980eb35c1b6f174ca989ff7502381948554e83a245f6486c5ec7e
                    • Instruction ID: dfa930b9e851fc960fedfc879309fc38e63338707ae0acb888589c5c7c05a745
                    • Opcode Fuzzy Hash: 27d65664916980eb35c1b6f174ca989ff7502381948554e83a245f6486c5ec7e
                    • Instruction Fuzzy Hash: CB216D32620701AFDB268F95D984FA6B7FAFF48789F500C28E1428B594CB71E865CB54
                    Function 022BB646 Relevance: .1, Instructions: 67COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 20070737f167fc5e532d44df6a3c99ecb5fa9d53bed73cb3f33027543783428d
                    • Instruction ID: 883f4b90ca6fe29ed0800718e227f8184c1e582ec0c919b9737ecdc522151a8e
                    • Opcode Fuzzy Hash: 20070737f167fc5e532d44df6a3c99ecb5fa9d53bed73cb3f33027543783428d
                    • Instruction Fuzzy Hash: 99112431F647009BE7266BF88809BEAB361DF9078CF20011DAC2A4A2D5EBA02C01CB51
                    Function 0227E03F Relevance: .1, Instructions: 65COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f0bf570dc3b1d1c2f5fb0af71025142e9967fe7954fc691a27012901e769fd65
                    • Instruction ID: 313456895d12d26f1032e3f27f717e9960280334fda582313a78d6f12a456fcf
                    • Opcode Fuzzy Hash: f0bf570dc3b1d1c2f5fb0af71025142e9967fe7954fc691a27012901e769fd65
                    • Instruction Fuzzy Hash: B121A272A40615EFD721DFA5D88CFAEBBB4EF84701F254065FA05AA180CB749944CBA2
                    Function 0229E0EE Relevance: .1, Instructions: 62COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 34c9d7e7adadec1c3f9b2b19cb870b69412828e1a52948ed821137b4339ad3bc
                    • Instruction ID: b8e16b07c84f9c9532791a95fdd2be9455fcfcfba1a6f7ec8ed1896153470c20
                    • Opcode Fuzzy Hash: 34c9d7e7adadec1c3f9b2b19cb870b69412828e1a52948ed821137b4339ad3bc
                    • Instruction Fuzzy Hash: E71104B2664202BFEF189AE4DC49F76776DEF88B95F21046AF502D61A4D7618D01CF20
                    Function 022900CF Relevance: .1, Instructions: 62COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f62bcd8e73b9c65d2469fe48bfdd6b61660e2bc5205e77bda4f5de5724eff634
                    • Instruction ID: ee90e05eb50709e920a8c54251eb9cd16864190869f2c85d35865cca2c8e8c0b
                    • Opcode Fuzzy Hash: f62bcd8e73b9c65d2469fe48bfdd6b61660e2bc5205e77bda4f5de5724eff634
                    • Instruction Fuzzy Hash: 7211B132A20118ABCF219FA4CD44BEE77B6EF55350F104265E919972D4DB70EE80CF80
                    Function 0228379E Relevance: .1, Instructions: 58COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ef9900e0043eaf59c24047fdceebf177b75497a1961093eea5687205b8afcd69
                    • Instruction ID: 3cc004c80a655a9c3b1b31e5d1a775f99e7d451adfc2d4bea96f2dd51c7fb0f6
                    • Opcode Fuzzy Hash: ef9900e0043eaf59c24047fdceebf177b75497a1961093eea5687205b8afcd69
                    • Instruction Fuzzy Hash: 8A11A175A41601BFE7259BC4EC89F6A7BB9FB49B10F200468FA0693290CB74ED10DB90
                    Function 022AC27F Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 97ed51088ead3d8372123c4b93aea57394cdc4d1ceee6db8165121af6990fe02
                    • Instruction ID: a316d2bf1469e54c7d95f087244a8d595deaeee49a0d7baf4cb35c05d6276fc8
                    • Opcode Fuzzy Hash: 97ed51088ead3d8372123c4b93aea57394cdc4d1ceee6db8165121af6990fe02
                    • Instruction Fuzzy Hash: F61104726A4301AFD704EFA4DC56FBB77A8EB48750F00481AF956CBAC0E6B0E910C795
                    Function 022906CF Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 35146fc1b10a769fbc1c7149b72356a064a265cabec5b47c639ee394c727e31d
                    • Instruction ID: cb62dcc16bad9ddb40c832383e29ad2ab7e14380f178b54589d823cf23d76985
                    • Opcode Fuzzy Hash: 35146fc1b10a769fbc1c7149b72356a064a265cabec5b47c639ee394c727e31d
                    • Instruction Fuzzy Hash: E3118E76D00109AFCB109FD8A848BDEBBBCEB45724F204475E915E7244E3728E04CF90
                    Function 0229001F Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ae9f4531c69757ef0b1d82b06e3e62435b0e826b113ef1d5e54847302053ec81
                    • Instruction ID: d4b5b05b7c4f54772d1925b189b0e478fe1908198e6e91605805a37756880272
                    • Opcode Fuzzy Hash: ae9f4531c69757ef0b1d82b06e3e62435b0e826b113ef1d5e54847302053ec81
                    • Instruction Fuzzy Hash: 6911C432A10218ABCF25EFA4DD44AEE77B6EF58350F1001A9E90597290EF70DE80CF90
                    Function 022BB243 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ac0ea9a00f8eb1d302029dc4c37c3a9b262ae31da226cb2b28d8e79167f3be0f
                    • Instruction ID: f6d4bfa0ed6575e8cf21784d418c0cf1de9b3084f0ae979221cfbd10613be29c
                    • Opcode Fuzzy Hash: ac0ea9a00f8eb1d302029dc4c37c3a9b262ae31da226cb2b28d8e79167f3be0f
                    • Instruction Fuzzy Hash: CC116D31910A41DFDB369F96DA08FA7BBF9FF81B89F04482DE85682664C770A940CF50
                    Function 022AC3BF Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 25d46adfaaff9327a75d1fd925098b41f3b34dcd26e7abb5d07b665c4f611bd4
                    • Instruction ID: adc761a5b5fe596b0034442987b58dd67049d15f89820db3fa0d9f12b194a5fb
                    • Opcode Fuzzy Hash: 25d46adfaaff9327a75d1fd925098b41f3b34dcd26e7abb5d07b665c4f611bd4
                    • Instruction Fuzzy Hash: 7101C432654346AFC710DFA4DD49FABB7A8AB94740F00485AB955CB2C1D670E904CB55
                    Function 022A83FF Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1dd0b9c5944565130570a723d7421a4186c9a489530cd22930ee15224936c538
                    • Instruction ID: 5a35f4f06899d04712f51b027c0f55724c31036e30fe3faefdacdbe3480957b9
                    • Opcode Fuzzy Hash: 1dd0b9c5944565130570a723d7421a4186c9a489530cd22930ee15224936c538
                    • Instruction Fuzzy Hash: 0E01D23591031AEBCB10EBA0C5247B9BBB4FF04705F0480A5E8829A888E374DB45EBA5
                    Function 0226A2DA Relevance: .0, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4892d1e160d21b452b93a9739d53f264522e544c87cfac4d34e7ad9bd8f9246a
                    • Instruction ID: de1cf7a0533a0e94fe1e15761585561cd0408d026ea64084bd6f8375b8673e8e
                    • Opcode Fuzzy Hash: 4892d1e160d21b452b93a9739d53f264522e544c87cfac4d34e7ad9bd8f9246a
                    • Instruction Fuzzy Hash: CEF0E273710A006BC716AADE48449ABB2AFAFD8710F488464B905BB340DAB59D5186A0
                    Function 0226B1FC Relevance: .0, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c9b566ea08acb99e810c30c2329d20291030beb95771ac666a47cfa843bc93e7
                    • Instruction ID: 733c7defca86689f2cf2c6cec7f80b2e0d0bdf5264353a69a5658243e4db2114
                    • Opcode Fuzzy Hash: c9b566ea08acb99e810c30c2329d20291030beb95771ac666a47cfa843bc93e7
                    • Instruction Fuzzy Hash: 0201A2732612408FD310AFE4CDDCE3A77AAEB8074CF148565EA0597619CB75D884C960
                    Function 0228171F Relevance: .0, Instructions: 39COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6a859210293ed90d15fce2e709d99a2120e748018810e9686c6d4ba806c2ea11
                    • Instruction ID: 14f1b53ee7cad7f862819bb01bef8ca4b5a7d6f5439d35ecaa8a13fb5b3589b4
                    • Opcode Fuzzy Hash: 6a859210293ed90d15fce2e709d99a2120e748018810e9686c6d4ba806c2ea11
                    • Instruction Fuzzy Hash: D1F02232151281EBDB21AFD5EC08FAB37B8EF85700F00442AF50A876A0D334D426CBA0
                    Function 022AC04F Relevance: .0, Instructions: 38COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8f4e564ca8d40244b256ca599c685f07d73043c788197ef2ffba0e4f7403d1d9
                    • Instruction ID: 826899b0958a3acb69a229b660f9ee869b8eba451eb019b5a8b5f08a85df94db
                    • Opcode Fuzzy Hash: 8f4e564ca8d40244b256ca599c685f07d73043c788197ef2ffba0e4f7403d1d9
                    • Instruction Fuzzy Hash: 94018175A20308AFC708DF64D891E9AB7F9FB4C300F108569B406EB281EB70E900CB54
                    Function 022B7370 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7d2b2081f8a02f0623d079e1b087fe6749f6a793ef3737e2b3075ce75dc28974
                    • Instruction ID: ff3f8dd0e08d9e662f848f3962ad0a81236879173db0805c10a3e16662c1c5cf
                    • Opcode Fuzzy Hash: 7d2b2081f8a02f0623d079e1b087fe6749f6a793ef3737e2b3075ce75dc28974
                    • Instruction Fuzzy Hash: D9F0E933494743EAD7334689EC49BE6FBB4DFC179CF240429ED54165A5C77698C0C590
                    Function 022A72FF Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f1f4fe29a6ed8acc666750766eaa4c187cdc0a5ab82ae7c7a86fa77201ed39a6
                    • Instruction ID: 78d3f0d7ea395170a0ddf7bb6f2ffa7d39755b8a1ea9078c90d4bf0fee611a3b
                    • Opcode Fuzzy Hash: f1f4fe29a6ed8acc666750766eaa4c187cdc0a5ab82ae7c7a86fa77201ed39a6
                    • Instruction Fuzzy Hash: 50E023366D151097C7315AD8EC1CB9ABB25DBC17A5F260134FD145B584C7718C11C7E4
                    Function 004882F3 Relevance: .0, Instructions: 25COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 46ac22e05a8f276b30255be532e6954f615311fc94750cbb7d5be2aa40435a25
                    • Instruction ID: c802cf6c04fd249671eb60f3597b2d1ace81b266a90833c3c3c6c9b209906770
                    • Opcode Fuzzy Hash: 46ac22e05a8f276b30255be532e6954f615311fc94750cbb7d5be2aa40435a25
                    • Instruction Fuzzy Hash: 3FE0653010C29ACFCB02BB04D5204EDF7E2AF66B00F9A0D4DC5C213240DA791551DB8B
                    Function 022A83BF Relevance: .0, Instructions: 24COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 027bd08fc00f2a19e79c0817cec5c103b002b86706294bd2a107f5e965a18168
                    • Instruction ID: d117f76758985e15bba0c1d0de5c7e28cc976bf4b2da38fc9baa8d1c8ae31bae
                    • Opcode Fuzzy Hash: 027bd08fc00f2a19e79c0817cec5c103b002b86706294bd2a107f5e965a18168
                    • Instruction Fuzzy Hash: 99E04F76610215ABDB18DB81D919EFA7779EB80748F140158E90656580EAB1EE02DBA0
                    Function 0229C01F Relevance: .0, Instructions: 24COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fd01efbafce56f6e3d6af4757e9415f0ba2d38a882a8429ac65b8de0dde329c8
                    • Instruction ID: db2ad0eaf05c6aab53a0ad152de88511b2a470f36823fd56284e5e49fb2f5774
                    • Opcode Fuzzy Hash: fd01efbafce56f6e3d6af4757e9415f0ba2d38a882a8429ac65b8de0dde329c8
                    • Instruction Fuzzy Hash: 40E01237650154ABC7215F45D808F5ABB79EB88B61F158025F90597250C630ED11CBE0
                    Function 022B5129 Relevance: .0, Instructions: 24COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9c20e6e4e53decef1996bd2ab8372aa0e39c600cabafc48d085c0d13906a37db
                    • Instruction ID: 377dbda159f49faa8dd5b582eb7575ac46b3b97cc624f58297fc5ca1bca120bf
                    • Opcode Fuzzy Hash: 9c20e6e4e53decef1996bd2ab8372aa0e39c600cabafc48d085c0d13906a37db
                    • Instruction Fuzzy Hash: CBE06D36811A01DFC7324F46E908953BBF5FFC0B61319C92EE46A46A24C730D812CF50
                    Function 022A848F Relevance: .0, Instructions: 24COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d0f2078bbc8381385b386fbc6463990bda084c6bb1efa06929cc51e011a776b1
                    • Instruction ID: 4018cadeabec09c7d2c49608e872f22a97946c1c5738dcc97b8f743c09548b0f
                    • Opcode Fuzzy Hash: d0f2078bbc8381385b386fbc6463990bda084c6bb1efa06929cc51e011a776b1
                    • Instruction Fuzzy Hash: A6E0DF72610209ABCB18DB81CD19EAAB779EB80758F100058E40656580EAB1AE02DBA0
                    Function 022BC571 Relevance: .0, Instructions: 24COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9aae3a910afc1bd553cfac3e28f2475d05d658f0dc5cb5787adcaaff13f84bc6
                    • Instruction ID: 44730831d7b615353c93ad51762455ddd35388a1f9d052253edf12e954c182e5
                    • Opcode Fuzzy Hash: 9aae3a910afc1bd553cfac3e28f2475d05d658f0dc5cb5787adcaaff13f84bc6
                    • Instruction Fuzzy Hash: 1CF0F871912102CFD715DF08D644B91FBB1FF89348F2981AAE5589F211D371EC82CB80
                    Function 0042073A Relevance: .0, Instructions: 21COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e9013bc2dc5da30abb62f1fc6261816ca78e32bb2a49c5c3f12029533e9db291
                    • Instruction ID: cb5bb9cb53a10829c100f62cd8b2219444f1998ff8a9aff4de934b1ae18b4447
                    • Opcode Fuzzy Hash: e9013bc2dc5da30abb62f1fc6261816ca78e32bb2a49c5c3f12029533e9db291
                    • Instruction Fuzzy Hash: 3BE04F31100318AFCF417F10ED48A4A7BA9EB40745F404029F80556532CF39ED52CF58
                    Function 022AC6FB Relevance: .0, Instructions: 20COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bcf163cb4427abcb7cf1e28c2c535b2182b2ccb3bfc9805e171924cbf72d3aba
                    • Instruction ID: c2a3ae4d671b07e61de5e50444f0d9b98c0c8205541f12abf455fbea2c114eb9
                    • Opcode Fuzzy Hash: bcf163cb4427abcb7cf1e28c2c535b2182b2ccb3bfc9805e171924cbf72d3aba
                    • Instruction Fuzzy Hash: 99D012331111247BC7259E8ADC44DD3BFADFF897A0B014055B51C875108530D810C7E0
                    Function 0229D4EF Relevance: .0, Instructions: 20COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4fdc058ce6f6884bde2799515048fbb555572899b6e21c9d0c7a00aa6b37b209
                    • Instruction ID: 6e383217ca800bb9f62331e42236664fa0bb5207a89fdc2443e0312348d5b73a
                    • Opcode Fuzzy Hash: 4fdc058ce6f6884bde2799515048fbb555572899b6e21c9d0c7a00aa6b37b209
                    • Instruction Fuzzy Hash: 17E04F32451610AFCB315B85E808F93BBA8EB01765F148425E50956460C775A910DF90
                    Function 022942FF Relevance: .0, Instructions: 17COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5dc24893aace988a35ecd73e246208930ec6445dd99927539e494dc6e981f5bc
                    • Instruction ID: cebb28a1d65a83e083f05adbebdde07a25a32051c6a47f8fdaea75893e1d3351
                    • Opcode Fuzzy Hash: 5dc24893aace988a35ecd73e246208930ec6445dd99927539e494dc6e981f5bc
                    • Instruction Fuzzy Hash: FBD02E32280298A7CB342E88B808F82BFA8DB00790F240025FA0487250CAB0A800C3D8
                    Function 0229D52F Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6c954125d07a6c40e8a07cd747802c0c19018b7384788b34aeae02da9c1f8ea1
                    • Instruction ID: d26982dae26a18a38907349bd0fd4d7e171fecec801ce7d8fa22cff12f4b4bbc
                    • Opcode Fuzzy Hash: 6c954125d07a6c40e8a07cd747802c0c19018b7384788b34aeae02da9c1f8ea1
                    • Instruction Fuzzy Hash: DCD0A73123028A9BCF22EA9DC444F6177D8A74466CF0C8020F85E87104C334F840EB10
                    Function 0226B399 Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9ffbbf828355356ec812804d5d7b2285c9a68d8aa31d6f31d95f5308b5c41d53
                    • Instruction ID: 0866291b27594e35fcde5c7c9a51ab8ab4515e476a97ba91bc0f71b48c70950d
                    • Opcode Fuzzy Hash: 9ffbbf828355356ec812804d5d7b2285c9a68d8aa31d6f31d95f5308b5c41d53
                    • Instruction Fuzzy Hash: 55C01232761980CADF116F60C90C72133E4E71064AF084474A001D506CDB24C4E1E600
                    Function 022650BF Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d3696ecc806c3e3492e4c484b1b8272d99a7f0668c5875144a6339bb6c492ad9
                    • Instruction ID: 33df3621f03aa92469ab77afaf885f6d1b311973975121a4496c8fcc854d21f2
                    • Opcode Fuzzy Hash: d3696ecc806c3e3492e4c484b1b8272d99a7f0668c5875144a6339bb6c492ad9
                    • Instruction Fuzzy Hash: 2DD01232080648EBC7265F84DA0CFA57B7AE754754F644020F608069B0C775D9B0DAD4
                    Function 0229C195 Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: accb1398fa82048500a73bef355ca69f696f10a3652e08853513937dfc3a3bca
                    • Instruction ID: 78844dd991f5fbe98812123dfceb7bb4607e2c54b55449aeba399ea5317e0a24
                    • Opcode Fuzzy Hash: accb1398fa82048500a73bef355ca69f696f10a3652e08853513937dfc3a3bca
                    • Instruction Fuzzy Hash: D8D0C931C51516DBCF219BD9C648B6AB675AB18745F40402AE4056113883384540CEA4
                    Function 022A9395 Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4458151098.000000000225B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0225B000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_225b000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7b75edf13c842dce617d8efc78d166287f646fa710b9c812e04274ea1a54e40c
                    • Instruction ID: 31d0f837eaac6acf62bbb5977ec469666e220166c6520c7b34f2feffbaa9c8ee
                    • Opcode Fuzzy Hash: 7b75edf13c842dce617d8efc78d166287f646fa710b9c812e04274ea1a54e40c
                    • Instruction Fuzzy Hash: 78C01232891440ABCF22AF86EE4CE167A3AEB85B89F1404A8A001825318B3189A2DA10
                    Function 0588B527 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 161registrysleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0588F5F7: _malloc.LIBCMT ref: 0588F611
                    • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002,?), ref: 0588B557
                    • RegDeleteValueW.ADVAPI32(?,IpDate), ref: 0588B567
                    • RegSetValueExW.ADVAPI32(?,IpDate,00000000,00000003,00000002,?), ref: 0588B584
                    • _memset.LIBCMT ref: 0588B5A5
                    • RegCloseKey.ADVAPI32(?), ref: 0588B5EC
                    • _memset.LIBCMT ref: 0588B60D
                    • RegCloseKey.ADVAPI32(?), ref: 0588B6FD
                    • Sleep.KERNEL32(000007D0), ref: 0588B708
                      • Part of subcall function 0588F5F7: std::exception::exception.LIBCMT ref: 0588F646
                      • Part of subcall function 0588F5F7: std::exception::exception.LIBCMT ref: 0588F660
                      • Part of subcall function 0588F5F7: __CxxThrowException@8.LIBCMT ref: 0588F671
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CloseValue_memsetstd::exception::exception$DeleteException@8OpenSleepThrow_malloc
                    • String ID: 103.199.100.130$103.199.100.97$199.100.130$8080$8181$8282$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
                    • API String ID: 1186799303-2765218603
                    • Opcode ID: 500b9f21a55a849ec96fe06a718f397c9035eb14ba294970725d7c0b1ea7eb32
                    • Instruction ID: c0bce099eb75c3d7cf1cc895fe50a80aa87f668a3f747aad2c8f90eeab9edaca
                    • Opcode Fuzzy Hash: 500b9f21a55a849ec96fe06a718f397c9035eb14ba294970725d7c0b1ea7eb32
                    • Instruction Fuzzy Hash: C941B876780300BBF610B6149C8BF6B7394DF54B10F144424FE05FA382EAB9BD5596A7
                    Function 05893F02 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,05890EB1,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05893F0A
                    • __mtterm.LIBCMT ref: 05893F16
                      • Part of subcall function 05893BE1: DecodePointer.KERNEL32(0000000C,05890F74,05890F5A,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05893BF2
                      • Part of subcall function 05893BE1: TlsFree.KERNEL32(00000021,05890F74,05890F5A,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05893C0C
                      • Part of subcall function 05893BE1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,05890F74,05890F5A,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05898C38
                      • Part of subcall function 05893BE1: _free.LIBCMT ref: 05898C3B
                      • Part of subcall function 05893BE1: DeleteCriticalSection.KERNEL32(00000021,?,?,05890F74,05890F5A,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05898C62
                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 05893F2C
                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 05893F39
                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 05893F46
                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 05893F53
                    • TlsAlloc.KERNEL32(?,?,05890EB1,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05893FA3
                    • TlsSetValue.KERNEL32(00000000,?,?,05890EB1,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05893FBE
                    • __init_pointers.LIBCMT ref: 05893FC8
                    • EncodePointer.KERNEL32(?,?,05890EB1,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05893FD9
                    • EncodePointer.KERNEL32(?,?,05890EB1,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05893FE6
                    • EncodePointer.KERNEL32(?,?,05890EB1,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05893FF3
                    • EncodePointer.KERNEL32(?,?,05890EB1,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05894000
                    • DecodePointer.KERNEL32(Function_00013D65,?,?,05890EB1,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05894021
                    • __calloc_crt.LIBCMT ref: 05894036
                    • DecodePointer.KERNEL32(00000000,?,?,05890EB1,058A6168,00000008,05891045,?,?,?,058A6188,0000000C,05891100,?), ref: 05894050
                    • GetCurrentThreadId.KERNEL32 ref: 05894062
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                    • API String ID: 3698121176-3819984048
                    • Opcode ID: 2b8a0ffd8104d604c426dbaebca02f6dd650fc81444960e88834ec395b607eb2
                    • Instruction ID: 12854ef60e4500acfd1835d2e28cb10351f8794b3997a8efe4e660f1968a787e
                    • Opcode Fuzzy Hash: 2b8a0ffd8104d604c426dbaebca02f6dd650fc81444960e88834ec395b607eb2
                    • Instruction Fuzzy Hash: 79316C31929700DEFF64AF79AC0EA167FA8FB44260B18051AFC11E2690EF34BA45CF51
                    Function 0588C300 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 170stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: _memset$_wcsrchrlstrcat$EnvironmentExpandStringslstrlenwsprintf
                    • String ID: "%1$%s\shell\open\command$D$WinSta0\Default
                    • API String ID: 3970221696-33419044
                    • Opcode ID: 3a2b62c7a28aa0122245211e0ba7e50370d5af8eec3c41ce688c0b47261c1fd2
                    • Instruction ID: 19f9d181840a916521f2067266a65f82762804b61374c5fe5afe72dedf9936b2
                    • Opcode Fuzzy Hash: 3a2b62c7a28aa0122245211e0ba7e50370d5af8eec3c41ce688c0b47261c1fd2
                    • Instruction Fuzzy Hash: 0F51CB71A4031D66DB34FB649D49FFE7778EF54700F004095BE0AD9184EA74AE85CB62
                    Function 05887C70 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 141libraryloaderfileCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryW.KERNEL32(wininet.dll), ref: 05887CB3
                    • GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 05887CC7
                    • FreeLibrary.KERNEL32(00000000), ref: 05887CE7
                    • GetProcAddress.KERNEL32(00000000,InternetOpenUrlW), ref: 05887D06
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 05887D43
                    • _memset.LIBCMT ref: 05887D6E
                    • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 05887D7C
                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 05887DCB
                    • CloseHandle.KERNEL32(?), ref: 05887DE9
                    • Sleep.KERNEL32(00000001), ref: 05887DF1
                    • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 05887DFD
                    • FreeLibrary.KERNEL32(00000000), ref: 05887E18
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite_memset
                    • String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
                    • API String ID: 1463273941-1099148085
                    • Opcode ID: 935e6d09028838c8df65ec9f1c9ad5f59307a011fa2c0b40d68245c2282767f3
                    • Instruction ID: 26821639ff0d5289f40faa3db8bbdb82543d1a3d0b31a2869175efd62fd4cbdf
                    • Opcode Fuzzy Hash: 935e6d09028838c8df65ec9f1c9ad5f59307a011fa2c0b40d68245c2282767f3
                    • Instruction Fuzzy Hash: 06417475A40218AAEB30AB648C41FEAB7F9FF44700F10C1A5FA49E6180DE746E858F95
                    Function 05884530 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000064), ref: 0588455A
                    • timeGetTime.WINMM ref: 0588457B
                    • GetCurrentThreadId.KERNEL32 ref: 0588459B
                    • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 058845BD
                    • SwitchToThread.KERNEL32 ref: 058845D7
                    • SetEvent.KERNEL32(?), ref: 05884620
                    • CloseHandle.KERNEL32(?), ref: 05884644
                    • send.WS2_32(?,058A49C0,00000010,00000000), ref: 05884668
                    • SetEvent.KERNEL32(?), ref: 05884686
                    • InterlockedExchange.KERNEL32(?,00000000), ref: 05884691
                    • WSACloseEvent.WS2_32(?), ref: 0588469F
                    • shutdown.WS2_32(?,00000001), ref: 058846B3
                    • closesocket.WS2_32(?), ref: 058846BD
                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 058846F6
                    • SetLastError.KERNEL32(000005B4), ref: 0588470A
                    • GetCurrentThreadId.KERNEL32 ref: 0588472B
                    • InterlockedExchange.KERNEL32(?,00000001), ref: 05884743
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                    • String ID:
                    • API String ID: 1692523546-0
                    • Opcode ID: 23bc4f3d45f3f7eeae67516ba84b6a4f4c7ba656ac66e9cc851164cf5eb7fc7c
                    • Instruction ID: 264590c315ab9735bc0815715cc06d2c115069d6fd83e082ed24d2ffc7e74e01
                    • Opcode Fuzzy Hash: 23bc4f3d45f3f7eeae67516ba84b6a4f4c7ba656ac66e9cc851164cf5eb7fc7c
                    • Instruction Fuzzy Hash: BD91BF76600B16ABDB24EF24D888B7ABBA5FF44709F108119ED16C7A60DB71FC51CB90
                    Function 0588A6E0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 254COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: _memset$swprintf$_malloc
                    • String ID: %s %s$onlyloadinmyself$vghaisfu
                    • API String ID: 1873853019-2470852376
                    • Opcode ID: 03ae2f575a9785b68a8663eec066c023e57f5708cca866e9d86c494a579ee2ed
                    • Instruction ID: ea52656c0da991983d3aff5d397f00ae905b13870d63c0990dd25d4918d75c89
                    • Opcode Fuzzy Hash: 03ae2f575a9785b68a8663eec066c023e57f5708cca866e9d86c494a579ee2ed
                    • Instruction Fuzzy Hash: 2981A0B6A40300ABEB14BF18DC8AF7B77A4EF45710F184164ED199F386E671ED50C6A2
                    Function 05885C90 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 164windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindowVisible.USER32(?), ref: 05885CA3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: VisibleWindow
                    • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                    • API String ID: 1208467747-3439171801
                    • Opcode ID: f4017baa5e3563853ab833be729ed3d9d3b5a79dd3f2dec14db4bb7860ba1311
                    • Instruction ID: 256c9997fa4a83b5a1b1a42f5c497ffa806335d882b6500507bb7c7a82944aff
                    • Opcode Fuzzy Hash: f4017baa5e3563853ab833be729ed3d9d3b5a79dd3f2dec14db4bb7860ba1311
                    • Instruction Fuzzy Hash: 18414973F5172272EE713D752D06E7F218EED2288AF444024ED44E4304FAE9EE5694A7
                    Function 0040D868 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 92COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_GS.LIBCMT ref: 0040D872
                      • Part of subcall function 0040EF6C: char_traits.LIBCPMT ref: 0040EF85
                      • Part of subcall function 004112D6: __EH_prolog3_catch.LIBCMT ref: 004112DD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3_H_prolog3_catchchar_traits
                    • String ID: api_log.dll$avghooka.dll$avghookx.dll$cmdvrt32.dll$cmdvrt64.dll$dbghelp.dll$dir_watch.dll$pstorec.dll$sbiedll.dll$snxhk.dll$vmcheck.dll$wpespy.dll
                    • API String ID: 3519943210-1599972391
                    • Opcode ID: 87d95891234aec1c450919338791a7ebca6054b5fd8461353f5962cfad72156a
                    • Instruction ID: c65811b8fbe313e87d221b774cad1bdaa4a197a702579701ec1d69c0e0ecbe6d
                    • Opcode Fuzzy Hash: 87d95891234aec1c450919338791a7ebca6054b5fd8461353f5962cfad72156a
                    • Instruction Fuzzy Hash: 11413D70904398EBDF11EBA5C955BDDBB70AF19704F5044EEA08A731C2DBB81B48CB69
                    Function 00421DC1 Relevance: 21.3, APIs: 14, Instructions: 296COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 519965a2360e167d39b1a4d15452e994910e42678d7a62e64eef679e6030d87c
                    • Instruction ID: 85a9c9966b4c535f1b878223c3f7d77a8cc78eb428a97881d296d05b4db25939
                    • Opcode Fuzzy Hash: 519965a2360e167d39b1a4d15452e994910e42678d7a62e64eef679e6030d87c
                    • Instruction Fuzzy Hash: 6CB1CFB0A00255AEDB10DF69D881BEEB7F4FF08304F94402EF595A7252DBB99D81CB64
                    Function 0588D970 Relevance: 21.3, APIs: 14, Instructions: 254COMMON
                    Download Yara Rule
                    APIs
                    • SetLastError.KERNEL32(0000000D,?,?,?,?,?,?,0588A8B1,?,?), ref: 0588D983
                    • SetLastError.KERNEL32(000000C1,?,?,?,?,?,?,0588A8B1,?,?), ref: 0588D9A2
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ErrorLast
                    • String ID:
                    • API String ID: 1452528299-0
                    • Opcode ID: f0ea86b865a8df4a11bcc1133bff41a7392d8dbd6de8bebccaa880d7b04194b6
                    • Instruction ID: fec933dce19632b77a37e92cc6f3845e283923ab1b5cf73f6ade4a4c8375a84f
                    • Opcode Fuzzy Hash: f0ea86b865a8df4a11bcc1133bff41a7392d8dbd6de8bebccaa880d7b04194b6
                    • Instruction Fuzzy Hash: E381D3757066019BE720EF69DC85BB6B7E4FB44325F144169ED0AC7A80EB71EC008BD0
                    Function 0588C540 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164registryCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0588C59D
                    • _memset.LIBCMT ref: 0588C5AC
                    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000), ref: 0588C5CF
                      • Part of subcall function 0588C77E: RegCloseKey.ADVAPI32(80000000,0588C75A), ref: 0588C78B
                      • Part of subcall function 0588C77E: RegCloseKey.ADVAPI32(00000000), ref: 0588C794
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Close_memset$Open
                    • String ID: %08X
                    • API String ID: 4292648718-3773563069
                    • Opcode ID: 07ddea25c29a6dec98eb8481e4e1092f0976e0c6f424f4cf94528d31d75c85e3
                    • Instruction ID: 05c01bd2a8e87c70ab1f66775c94e1867afc965b35a75fe2c6897d45e5fd5102
                    • Opcode Fuzzy Hash: 07ddea25c29a6dec98eb8481e4e1092f0976e0c6f424f4cf94528d31d75c85e3
                    • Instruction Fuzzy Hash: 3D5155B5A40218ABEB24EF94CC85FEAB778EB44714F404199FB06EA180E7746F44CF64
                    Function 058836F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WS2_32(00000002,00000002,00000011), ref: 05883710
                    • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 05883749
                    • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 05883766
                    • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 05883779
                    • WSACreateEvent.WS2_32 ref: 0588377B
                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,058B1F4C), ref: 0588378D
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,058B1F4C), ref: 05883799
                    • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,058B1F4C), ref: 058837B8
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,058B1F4C), ref: 058837C4
                    • gethostbyname.WS2_32(00000000), ref: 058837D2
                    • htons.WS2_32(?), ref: 058837F8
                    • WSAEventSelect.WS2_32(?,?,00000030), ref: 05883816
                    • connect.WS2_32(?,?,00000010), ref: 0588382B
                    • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,058B1F4C), ref: 0588383A
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                    • String ID:
                    • API String ID: 1455939504-0
                    • Opcode ID: 419403193ca9d9b15d8a6af91cf48282084edbd66c54e494007975077ddc6b23
                    • Instruction ID: 5249fafc0b4a962a299949e0794a7380fb2257320936a95fc04f712c616bf214
                    • Opcode Fuzzy Hash: 419403193ca9d9b15d8a6af91cf48282084edbd66c54e494007975077ddc6b23
                    • Instruction Fuzzy Hash: A3414075A40305ABE724EBA4DC4AF7FBB78FB49B10F104519FA16D62D0CA74A904CB61
                    Function 0042EE3D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 0042EE76
                    • ___free_lconv_mon.LIBCMT ref: 0042EE81
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E1B3
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E1C5
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E1D7
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E1E9
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E1FB
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E20D
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E21F
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E231
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E243
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E255
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E267
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E279
                      • Part of subcall function 0042E196: _free.LIBCMT ref: 0042E28B
                    • _free.LIBCMT ref: 0042EE98
                    • _free.LIBCMT ref: 0042EEAD
                    • _free.LIBCMT ref: 0042EEB8
                    • _free.LIBCMT ref: 0042EEDA
                    • _free.LIBCMT ref: 0042EEED
                    • _free.LIBCMT ref: 0042EEFB
                    • _free.LIBCMT ref: 0042EF06
                    • _free.LIBCMT ref: 0042EF3E
                    • _free.LIBCMT ref: 0042EF45
                    • _free.LIBCMT ref: 0042EF62
                    • _free.LIBCMT ref: 0042EF7A
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$___free_lconv_mon
                    • String ID:
                    • API String ID: 3658870901-0
                    • Opcode ID: 8f371fca843b0bf36adb099c4784a828dbd236780fcd241ea61f3abb2b7ae775
                    • Instruction ID: cb8f79120a6ede87015045d5a425552af29a58626d35bd12cd34f511ec8a07e3
                    • Opcode Fuzzy Hash: 8f371fca843b0bf36adb099c4784a828dbd236780fcd241ea61f3abb2b7ae775
                    • Instruction Fuzzy Hash: 4C3141B1700350AFEB20AE2AE845B57B3E5AB01315F95841FE49897261DB7CED80CA18
                    Function 0588AA00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 187sleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(?,A97BC7BB), ref: 0588AA48
                    • wsprintfW.USER32 ref: 0588AA7F
                    • _memset.LIBCMT ref: 0588AA97
                    • _memset.LIBCMT ref: 0588AAAA
                      • Part of subcall function 05888010: lstrlenW.KERNEL32(?), ref: 05888028
                      • Part of subcall function 05888010: _memset.LIBCMT ref: 05888032
                      • Part of subcall function 05888010: lstrlenW.KERNEL32(?), ref: 0588803B
                      • Part of subcall function 05888010: lstrlenW.KERNEL32(?), ref: 05888046
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0588ABAE
                    • Sleep.KERNEL32(000003E8,?,?,?,00000208,?), ref: 0588AC4E
                    • CloseHandle.KERNEL32(?), ref: 0588AC8A
                      • Part of subcall function 0588F5F7: _malloc.LIBCMT ref: 0588F611
                      • Part of subcall function 05889720: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,A97BC7BB,?,?,?,?,?,058A114B,000000FF), ref: 05889763
                      • Part of subcall function 05889720: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 05889802
                      • Part of subcall function 05889720: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 05889840
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CreateEvent_memsetlstrlen$CloseCountCriticalHandleInitializeLocalSectionSleepSpinTime_mallocwsprintf
                    • String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
                    • API String ID: 1254190970-1225219777
                    • Opcode ID: 3972bb87f3c093d83821aee1310634904e5fb0879b676effce32662d028c69f9
                    • Instruction ID: 98b9178786b9402f0bf66d14b927f08a18c2b37e516f380c77e522c2e00e9097
                    • Opcode Fuzzy Hash: 3972bb87f3c093d83821aee1310634904e5fb0879b676effce32662d028c69f9
                    • Instruction Fuzzy Hash: 406197B16483409BD764EF58D884E7BB7E9FB84624F144A1DF985D3280EB349D44CBA3
                    Function 0042E294 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: dac70c105ff36dc783e8eb05b6b3df954bdbdb6bca337183bbca689b2de2930b
                    • Instruction ID: 0090a4e704ed15db785539d2103784ec2229ca23dff625ba350247f3575c270b
                    • Opcode Fuzzy Hash: dac70c105ff36dc783e8eb05b6b3df954bdbdb6bca337183bbca689b2de2930b
                    • Instruction Fuzzy Hash: 4BC167B1E40214BBDB20DFA9DC43FEEB7F8AB08704F544156FA44EB286D6789D418B58
                    Function 05884CB0 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                    Download Yara Rule
                    APIs
                    • SetLastError.KERNEL32(0000139F,A97BC7BB,?,?,?,?,00000000,000000FF,00000000), ref: 05884CE6
                    • EnterCriticalSection.KERNEL32(?,A97BC7BB,?,?,?,?,00000000,000000FF,00000000), ref: 05884D0D
                    • SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 05884D21
                    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 05884D28
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CriticalErrorLastSection$EnterLeave
                    • String ID:
                    • API String ID: 2124651672-0
                    • Opcode ID: 8e230c43b62d860ea71be8e87971f519f471ad2f8f8c9f4b955285f3442cb855
                    • Instruction ID: b608d545623fc8b2a5ddfbd27b2561773b5876741297d438d98f21bbbddc2245
                    • Opcode Fuzzy Hash: 8e230c43b62d860ea71be8e87971f519f471ad2f8f8c9f4b955285f3442cb855
                    • Instruction Fuzzy Hash: 75517076A047059FD724EF68E885A7AFBF5FB48714F00456AED1AC3740EB75A800CB51
                    Function 0040D4B8 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 92COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3_
                    • String ID: 7SILVIA$FORTINET$HANSPETER-PC$JOHN-PC$MUELLER-PC$SANDBOX$TEQUILABOOMBOOM$WIN7 - TRAPS
                    • API String ID: 2427045233-2697073198
                    • Opcode ID: 725bbe342772eaf87ee426c4a3c78ed60597651c9dea9c8898a7b826662b1395
                    • Instruction ID: f60bb209392c5bf1e69ba4c2b352cb79f307e000ff5ad9428393b5fdc34ee7b8
                    • Opcode Fuzzy Hash: 725bbe342772eaf87ee426c4a3c78ed60597651c9dea9c8898a7b826662b1395
                    • Instruction Fuzzy Hash: 83411D70D00269EADF21EBA5CD81BDDB734AB24304F5040BEA549772C2DAB81F8DDB59
                    Function 0588E620 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74stringtimeCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0588E641
                    • GetForegroundWindow.USER32(?,759223A0,00000000), ref: 0588E649
                    • GetWindowTextW.USER32(00000000,058B1730,00000800), ref: 0588E65F
                    • _memset.LIBCMT ref: 0588E67D
                    • lstrlenW.KERNEL32(058B1730,?,?,?,?,759223A0,00000000), ref: 0588E69C
                    • GetLocalTime.KERNEL32(?,?,?,?,?,759223A0,00000000), ref: 0588E6AD
                    • wsprintfW.USER32 ref: 0588E6F4
                      • Part of subcall function 0588E5A0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,?,?,0588E705,?,?,?,?,759223A0,00000000), ref: 0588E5AD
                      • Part of subcall function 0588E5A0: CreateFileW.KERNEL32(058B0DC0,40000000,00000002,00000000,00000004,00000002,00000000,?,?,0588E705,?,?,?,?,759223A0,00000000), ref: 0588E5C7
                      • Part of subcall function 0588E5A0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0588E5E2
                      • Part of subcall function 0588E5A0: lstrlenW.KERNEL32(?,00000000,00000000), ref: 0588E5EF
                      • Part of subcall function 0588E5A0: WriteFile.KERNEL32(00000000,?,00000000), ref: 0588E5FA
                      • Part of subcall function 0588E5A0: CloseHandle.KERNEL32(00000000), ref: 0588E601
                      • Part of subcall function 0588E5A0: ReleaseMutex.KERNEL32(?), ref: 0588E60E
                    • _memset.LIBCMT ref: 0588E710
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: File_memset$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
                    • String ID: [
                    • API String ID: 2192163267-4056885943
                    • Opcode ID: 4bc28d35950484581dddfdc03751d1cbd816813d7781901b8f0bb07fa2301bab
                    • Instruction ID: d5c9296e56e1e9312907e05f5f46a78d66278dcda39c52bd8ad54fe20d965972
                    • Opcode Fuzzy Hash: 4bc28d35950484581dddfdc03751d1cbd816813d7781901b8f0bb07fa2301bab
                    • Instruction Fuzzy Hash: F721D635A50228A6EB649B55AC0AABA77FCFF04700F00C0A5FD85D6244EE746D85CBE4
                    Function 0588C7C0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 54registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.ADVAPI32(80000001,AppEvents,00000000,00000002,?), ref: 0588C7DA
                    • RegDeleteValueW.ADVAPI32(?), ref: 0588C7E5
                    • RegCloseKey.ADVAPI32(?), ref: 0588C7F5
                    • RegCreateKeyW.ADVAPI32(80000001,AppEvents,?), ref: 0588C805
                    • lstrlenW.KERNEL32(?), ref: 0588C810
                    • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 0588C823
                    • RegCloseKey.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 0588C831
                    • RegCloseKey.ADVAPI32(?), ref: 0588C83D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Close$Value$CreateDeleteOpenlstrlen
                    • String ID: AppEvents
                    • API String ID: 3935456190-2318512526
                    • Opcode ID: a8bad435642dcdd184d2993ca9f381d6583af68a5f3db0e2a3b6222e23d49016
                    • Instruction ID: d99fb6578675a04965906805675b9b129557266c2972305030c8748f1673b581
                    • Opcode Fuzzy Hash: a8bad435642dcdd184d2993ca9f381d6583af68a5f3db0e2a3b6222e23d49016
                    • Instruction Fuzzy Hash: 8C01167E240208BBF724DF61EC85FAA3B6CEB88755F108015FF06DA140D975E940D6B0
                    Function 00415F80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 00415F87
                    • std::_Lockit::_Lockit.LIBCPMT ref: 00415F91
                    • int.LIBCPMT ref: 00415FA8
                      • Part of subcall function 00409F91: std::_Lockit::_Lockit.LIBCPMT ref: 00409FA2
                      • Part of subcall function 00409F91: std::_Lockit::~_Lockit.LIBCPMT ref: 00409FBC
                    • std::locale::_Getfacet.LIBCPMT ref: 00415FB1
                    • codecvt.LIBCPMT ref: 00415FCB
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00415FE8
                    • std::_Facet_Register.LIBCPMT ref: 00416007
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00416010
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prolog3RegisterThrowcodecvtstd::locale::_
                    • String ID: HD
                    • API String ID: 1243920060-3462748586
                    • Opcode ID: 895c1df924cb8d203cf8e16657d913a4ab57163a8dab723c667b364d3dcf79ef
                    • Instruction ID: 30aecd94fbda12706c240dcf222d8b9d8810c402beabbd326e2a9f87a0632e5a
                    • Opcode Fuzzy Hash: 895c1df924cb8d203cf8e16657d913a4ab57163a8dab723c667b364d3dcf79ef
                    • Instruction Fuzzy Hash: A601AD369012159BCF01EBA1C8429EEB725AF94328F15442FF5016B3D2DF3C9D8687A9
                    Function 05883DE0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(?,?,?,?,0588398D,?,00000000,000000FF,00000000), ref: 05883E05
                    • LeaveCriticalSection.KERNEL32(?,?,?,0588398D,?,00000000,000000FF,00000000), ref: 05883E50
                    • send.WS2_32(?,000000FF,00000000,00000000), ref: 05883E6E
                    • EnterCriticalSection.KERNEL32(?), ref: 05883E81
                    • LeaveCriticalSection.KERNEL32(?), ref: 05883E94
                    • HeapFree.KERNEL32(00000000,00000000,?,?,?,0588398D,?,00000000,000000FF,00000000), ref: 05883EBC
                    • WSAGetLastError.WS2_32(?,?,0588398D,?,00000000,000000FF,00000000), ref: 05883EC7
                    • EnterCriticalSection.KERNEL32(?,?,?,0588398D,?,00000000,000000FF,00000000), ref: 05883EDB
                    • LeaveCriticalSection.KERNEL32(?), ref: 05883F14
                    • HeapFree.KERNEL32(00000000,00000000,?), ref: 05883F51
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
                    • String ID:
                    • API String ID: 1701177279-0
                    • Opcode ID: d5ebe11751830feecfa464cf5d14372ba9da5acbc34a46d55774fcea151ee078
                    • Instruction ID: 4dff1fb15760cc0cb519cce8d22a9cf316acf7800c016e165c0d762fa9d67397
                    • Opcode Fuzzy Hash: d5ebe11751830feecfa464cf5d14372ba9da5acbc34a46d55774fcea151ee078
                    • Instruction Fuzzy Hash: 4C4116711146059FD725EF78D988AB7BBF9FB49704F04896DECABCB640EB31A8018B50
                    Function 05884F30 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                    Download Yara Rule
                    APIs
                    • WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 05884F63
                    • EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 05884F78
                    • WSASetLastError.WS2_32(00002746), ref: 05884F8A
                    • LeaveCriticalSection.KERNEL32(000002FF), ref: 05884F91
                    • timeGetTime.WINMM ref: 05884FBF
                    • timeGetTime.WINMM ref: 05884FE7
                    • SetEvent.KERNEL32(?), ref: 05885025
                    • InterlockedExchange.KERNEL32(?,00000001), ref: 05885031
                    • LeaveCriticalSection.KERNEL32(000002FF), ref: 05885038
                    • LeaveCriticalSection.KERNEL32(000002FF), ref: 0588504B
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                    • String ID:
                    • API String ID: 1979691958-0
                    • Opcode ID: 2ce299feddd2f13131cf01df8e3d1d37130ef65f4ed18ae5a41213dbcabe9163
                    • Instruction ID: e31f2c4dc9777964b9bf5a7c487ff4c401168a1342f2cd7798bc122fee59fc52
                    • Opcode Fuzzy Hash: 2ce299feddd2f13131cf01df8e3d1d37130ef65f4ed18ae5a41213dbcabe9163
                    • Instruction Fuzzy Hash: 76419F366003019BDB30EF69D589A7ABBEAFB48318F044559FC4AC7661E776F8408B41
                    Function 00426BA0 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: fcce47e6c2633b22a26bdfd258381b2dec84be11aa8873df8edacff61b6cef23
                    • Instruction ID: 2955eaffdebe4c06cf4c4278f6dc04da52b49691b7deee40e3442a6d672c9279
                    • Opcode Fuzzy Hash: fcce47e6c2633b22a26bdfd258381b2dec84be11aa8873df8edacff61b6cef23
                    • Instruction Fuzzy Hash: 041137B6250098BFCB01EF55E842CC87B75FF05345B8180AAB9888F232D679EB819F44
                    Function 0588C1D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98filestringCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0588C20E
                    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 0588C22C
                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0588C269
                    • CloseHandle.KERNEL32(00000000), ref: 0588C274
                    • lstrlenW.KERNEL32(?), ref: 0588C281
                    • wsprintfW.USER32 ref: 0588C2A5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleWrite_memsetlstrlenwsprintf
                    • String ID: %s %s
                    • API String ID: 1326869720-2939940506
                    • Opcode ID: 491f8d1e8fcae46e6a881818a60ec97e97774d41b03b64c6e7a58568d840e87f
                    • Instruction ID: 6cd110d9c4d032872f43f36a981e36e4559dac5f72b984ef11f2e494f44667a6
                    • Opcode Fuzzy Hash: 491f8d1e8fcae46e6a881818a60ec97e97774d41b03b64c6e7a58568d840e87f
                    • Instruction Fuzzy Hash: 49317676650218ABDB24EAA4DC45FFF7768FB44311F400199BE06EB1C0EB746E44CBA1
                    Function 0588C8C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88processstringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?), ref: 0588C8CD
                    • _wcsrchr.LIBCMT ref: 0588C907
                      • Part of subcall function 05887C70: LoadLibraryW.KERNEL32(wininet.dll), ref: 05887CB3
                      • Part of subcall function 05887C70: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 05887CC7
                      • Part of subcall function 05887C70: FreeLibrary.KERNEL32(00000000), ref: 05887CE7
                    • GetFileAttributesW.KERNEL32(-00000002), ref: 0588C926
                    • GetLastError.KERNEL32 ref: 0588C931
                    • _memset.LIBCMT ref: 0588C944
                    • CreateProcessW.KERNEL32(00000000,-00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0588C971
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Library$AddressAttributesCreateErrorFileFreeLastLoadProcProcess_memset_wcsrchrlstrlen
                    • String ID: D$WinSta0\Default
                    • API String ID: 174883095-1101385590
                    • Opcode ID: c34276700380d6da9562b6dac649f5438da2b1448a5d8d8c1e9eb9eabf2ab4fe
                    • Instruction ID: 60c49869e539bf0a918276120851342dd367b466a882dc31f7ac6843950b5ab2
                    • Opcode Fuzzy Hash: c34276700380d6da9562b6dac649f5438da2b1448a5d8d8c1e9eb9eabf2ab4fe
                    • Instruction Fuzzy Hash: 7A112BB7A0020867D734B6B9AC4AFBFB76DEB41210F040125FE17DA184EA659D05C6B3
                    Function 05888149 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcmpiW.KERNEL32(?,A:\), ref: 05888156
                    • lstrcmpiW.KERNEL32(?,B:\), ref: 05888166
                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 05888196
                    • lstrlenW.KERNEL32(?), ref: 058881A7
                    • __wcsnicmp.LIBCMT ref: 058881BE
                    • lstrcpyW.KERNEL32(00000AD4,?), ref: 058881F4
                    • lstrcpyW.KERNEL32(?,?), ref: 05888218
                    • lstrcatW.KERNEL32(?,00000000), ref: 05888223
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: lstrcmpilstrcpy$DeviceQuery__wcsnicmplstrcatlstrlen
                    • String ID: A:\$B:\
                    • API String ID: 4249875308-1009255891
                    • Opcode ID: 89923b5c522cc538b3ec23344b72fb45b410911d7e15b36c3be5204eef08f871
                    • Instruction ID: ed94c57f03f05fe1bc4744398c08097880009fa1c209479e459bb7ccacc6da46
                    • Opcode Fuzzy Hash: 89923b5c522cc538b3ec23344b72fb45b410911d7e15b36c3be5204eef08f871
                    • Instruction Fuzzy Hash: F6118176A112149BEB20AF90DD45BFE77B8FF44210F004498EE0AE3240EB74AE05CF95
                    Function 00411539 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 00411540
                    • std::_Lockit::_Lockit.LIBCPMT ref: 0041154B
                    • int.LIBCPMT ref: 00411561
                      • Part of subcall function 00409F91: std::_Lockit::_Lockit.LIBCPMT ref: 00409FA2
                      • Part of subcall function 00409F91: std::_Lockit::~_Lockit.LIBCPMT ref: 00409FBC
                    • std::locale::_Getfacet.LIBCPMT ref: 0041156A
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004115AA
                    • std::_Facet_Register.LIBCPMT ref: 004115C0
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004115C9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prolog3RegisterThrowstd::locale::_
                    • String ID: PD
                    • API String ID: 4117319562-2666890729
                    • Opcode ID: 240954931e8c36f415d957216b93595e0f6b470668068cfae6af462cfcd576df
                    • Instruction ID: df62828fbb429f39836a6794fa8ce971b0747cfb1cd423ed48cfa1bc72d7b6fd
                    • Opcode Fuzzy Hash: 240954931e8c36f415d957216b93595e0f6b470668068cfae6af462cfcd576df
                    • Instruction Fuzzy Hash: 13118E72D002199BCB01EFA5C8419EE77A5BF48314B10452FF511A73A1DB7C9A448B9D
                    Function 00410723 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 0041072A
                    • std::_Lockit::_Lockit.LIBCPMT ref: 00410735
                    • int.LIBCPMT ref: 0041074B
                      • Part of subcall function 00409F91: std::_Lockit::_Lockit.LIBCPMT ref: 00409FA2
                      • Part of subcall function 00409F91: std::_Lockit::~_Lockit.LIBCPMT ref: 00409FBC
                    • std::locale::_Getfacet.LIBCPMT ref: 00410754
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00410794
                    • std::_Facet_Register.LIBCPMT ref: 004107AA
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 004107B3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prolog3RegisterThrowstd::locale::_
                    • String ID: TD
                    • API String ID: 4117319562-1802838825
                    • Opcode ID: 8cf9db64d6f4e9fbc5e78ba9d8bee6e9b9eec8aa38a68843baf7ca7834e52910
                    • Instruction ID: 6bd4a988e6b3405ff7bc35336011987ca5bb8b0170667c911e43f7e53bb70c08
                    • Opcode Fuzzy Hash: 8cf9db64d6f4e9fbc5e78ba9d8bee6e9b9eec8aa38a68843baf7ca7834e52910
                    • Instruction Fuzzy Hash: F0115E759003199BCB01EFA5C8819EEB774BF44318B10452FF511AB291DB7CA9858B9D
                    Function 05889720 Relevance: 13.7, APIs: 9, Instructions: 195timeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,A97BC7BB,?,?,?,?,?,058A114B,000000FF), ref: 05889763
                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 05889802
                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 05889840
                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 05889865
                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0588988A
                      • Part of subcall function 05881280: __CxxThrowException@8.LIBCMT ref: 05881290
                      • Part of subcall function 05881280: DeleteCriticalSection.KERNEL32(00000000,0588D326,058A6514,?,?,0588D326,?,?,?,?,058A5930,00000000), ref: 058812A1
                      • Part of subcall function 0588CD50: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,A97BC7BB,?,75922F60,00000000,?,?,058A0FFB,000000FF,?,0588993A,?), ref: 0588CDA7
                      • Part of subcall function 0588CD50: InitializeCriticalSectionAndSpinCount.KERNEL32(FFFFFFFF,00000000,?,?,058A0FFB,000000FF,?,0588993A,?), ref: 0588CDC3
                    • InterlockedExchange.KERNEL32(?,00000000), ref: 05889990
                    • timeGetTime.WINMM ref: 05889996
                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 058899A4
                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 058899AD
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                    • String ID:
                    • API String ID: 1400036169-0
                    • Opcode ID: c146e9596380b072383f2e074ad4344b9a3b86ecd925837c505dff559a748a27
                    • Instruction ID: 1ca2ee1d0ccac596f1b06841cda753adb28f46a5b0d47ace78272ddf86ba4258
                    • Opcode Fuzzy Hash: c146e9596380b072383f2e074ad4344b9a3b86ecd925837c505dff559a748a27
                    • Instruction Fuzzy Hash: 9B81F9B0A01A46BFE354DF79C888796FBA8FB08314F50422EE52DC7640D775A964CF91
                    Function 05883500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 05883660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 05883667
                      • Part of subcall function 05883660: _free.LIBCMT ref: 0588369C
                      • Part of subcall function 05883660: _malloc.LIBCMT ref: 058836D7
                      • Part of subcall function 05883660: _memset.LIBCMT ref: 058836E5
                    • InterlockedIncrement.KERNEL32(058B1F4C), ref: 05883565
                    • InterlockedIncrement.KERNEL32(058B1F4C), ref: 05883573
                    • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 0588359A
                    • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 058835B3
                    • ResetEvent.KERNEL32(?,?,?,058B1F4C), ref: 058835EE
                    • SetLastError.KERNEL32(00000000), ref: 05883621
                    • GetLastError.KERNEL32 ref: 05883639
                      • Part of subcall function 05883F60: GetCurrentThreadId.KERNEL32 ref: 05883F65
                      • Part of subcall function 05883F60: send.WS2_32(?,058A49C0,00000010,00000000), ref: 05883FC6
                      • Part of subcall function 05883F60: SetEvent.KERNEL32(?), ref: 05883FE9
                      • Part of subcall function 05883F60: InterlockedExchange.KERNEL32(?,00000000), ref: 05883FF5
                      • Part of subcall function 05883F60: WSACloseEvent.WS2_32(?), ref: 05884003
                      • Part of subcall function 05883F60: shutdown.WS2_32(?,00000001), ref: 0588401B
                      • Part of subcall function 05883F60: closesocket.WS2_32(?), ref: 05884025
                    • SetLastError.KERNEL32(00000000), ref: 05883649
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                    • String ID:
                    • API String ID: 127459856-0
                    • Opcode ID: d6283e34e3d009432f678fd75ec066a5ae23e0296c0f5e9bfc215243b738f8c9
                    • Instruction ID: 4752a5cf662786fa52a420be9ae8b1b0dbf54393ac0b58e7615fde538bb0a307
                    • Opcode Fuzzy Hash: d6283e34e3d009432f678fd75ec066a5ae23e0296c0f5e9bfc215243b738f8c9
                    • Instruction Fuzzy Hash: D2418DB5600704AFD360EF69DC81B6ABBE8FF48711F10092EEA46D7740DBB4B9048B50
                    Function 05884430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                    Download Yara Rule
                    APIs
                    • ResetEvent.KERNEL32(?), ref: 05884443
                    • ResetEvent.KERNEL32(?), ref: 0588444C
                    • timeGetTime.WINMM ref: 0588444E
                    • InterlockedExchange.KERNEL32(?,00000000), ref: 0588445D
                    • WaitForSingleObject.KERNEL32(?,00001770), ref: 058844AB
                    • ResetEvent.KERNEL32(?), ref: 058844C8
                      • Part of subcall function 05883F60: GetCurrentThreadId.KERNEL32 ref: 05883F65
                      • Part of subcall function 05883F60: send.WS2_32(?,058A49C0,00000010,00000000), ref: 05883FC6
                      • Part of subcall function 05883F60: SetEvent.KERNEL32(?), ref: 05883FE9
                      • Part of subcall function 05883F60: InterlockedExchange.KERNEL32(?,00000000), ref: 05883FF5
                      • Part of subcall function 05883F60: WSACloseEvent.WS2_32(?), ref: 05884003
                      • Part of subcall function 05883F60: shutdown.WS2_32(?,00000001), ref: 0588401B
                      • Part of subcall function 05883F60: closesocket.WS2_32(?), ref: 05884025
                    • ResetEvent.KERNEL32(?), ref: 058844DC
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                    • String ID:
                    • API String ID: 542259498-0
                    • Opcode ID: 1a0ea3706187c95ce546dd5b9b1d0c8004ea2a56465bb30715f8205556fb568f
                    • Instruction ID: b5fa4fdcd1bb5b3cfdc1c97a70a87596384edef5caaae89f83eaacce6aeeff75
                    • Opcode Fuzzy Hash: 1a0ea3706187c95ce546dd5b9b1d0c8004ea2a56465bb30715f8205556fb568f
                    • Instruction Fuzzy Hash: ED2182762147045BD630EF79DC85BA7B7E8FF89710F100A1EF94AC3650EA71B8048BA1
                    Function 05884E80 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    • SetLastError.KERNEL32(0000139F,?), ref: 05884E99
                    • TryEnterCriticalSection.KERNEL32(?,?), ref: 05884EB8
                    • TryEnterCriticalSection.KERNEL32(?), ref: 05884EC2
                    • SetLastError.KERNEL32(0000139F), ref: 05884ED9
                    • LeaveCriticalSection.KERNEL32(?), ref: 05884EE2
                    • LeaveCriticalSection.KERNEL32(?), ref: 05884EE9
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterErrorLastLeave
                    • String ID:
                    • API String ID: 4082018349-0
                    • Opcode ID: 17a6736e2f260397401e6c66e763856a515c69b165be813cfe6d51468b31fc4d
                    • Instruction ID: f033d7afdd0036135e09ea07df9fc55c22ba39f1e4d34164eb63c372924931c8
                    • Opcode Fuzzy Hash: 17a6736e2f260397401e6c66e763856a515c69b165be813cfe6d51468b31fc4d
                    • Instruction Fuzzy Hash: 58115E367143058BD730EA69AC8597AF7E8FB88325B00096EEE47C2550EA61EC04C6A5
                    Function 0042628C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$_abort_memcmp
                    • String ID: C
                    • API String ID: 137591632-1037565863
                    • Opcode ID: 02177950ef4cbb7b5e7d75defd5681ab0e89a2a84e828912c61c8f635c6afb52
                    • Instruction ID: 8d35496f2f27db50f7c5ffb127d95a8784faad9c84f8800e00c7ceac8d6c3bf5
                    • Opcode Fuzzy Hash: 02177950ef4cbb7b5e7d75defd5681ab0e89a2a84e828912c61c8f635c6afb52
                    • Instruction Fuzzy Hash: EAB13D75A01229DFDB24DF18E884AADB7B4FB08304F9141EEE949A7354D735AE90CF48
                    Function 0588DC50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                    • SetLastError.KERNEL32(0000007F), ref: 0588DC72
                    • SetLastError.KERNEL32(0000007F), ref: 0588DD75
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ErrorLast
                    • String ID: Main
                    • API String ID: 1452528299-521822810
                    • Opcode ID: 215ecbbf9dbae248f24bb4f16ded8b7cf9811901c4d7a047a5f2693f2a548adc
                    • Instruction ID: 916016b6e5816e6b19be307f70f5d768748ede8ceaa1aab458449775f4728218
                    • Opcode Fuzzy Hash: 215ecbbf9dbae248f24bb4f16ded8b7cf9811901c4d7a047a5f2693f2a548adc
                    • Instruction Fuzzy Hash: 08419E71A052059BE720EF58D881BBAB7E5FF84314F0486A9EC06CB781E775ED41CB90
                    Function 0040A8E7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • std::system_error::system_error.LIBCPMT ref: 0040A924
                      • Part of subcall function 0040A83F: __EH_prolog3_GS.LIBCMT ref: 0040A846
                    • std::system_error::system_error.LIBCPMT ref: 0040A953
                      • Part of subcall function 004107C0: __Init_thread_footer.LIBCMT ref: 0041080A
                    • std::system_error::system_error.LIBCPMT ref: 0040A97C
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040A99E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::system_error::system_error$Exception@8H_prolog3_Init_thread_footerThrow
                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                    • API String ID: 1655831007-1866435925
                    • Opcode ID: 511f13fbb9e4ebbb1886e9922c4f66d423fecec15ac26f4dc348fdd62ef75f1a
                    • Instruction ID: fa1219887b7f32737682137bfa165a9407a848542708bd4db1697170cd2d746d
                    • Opcode Fuzzy Hash: 511f13fbb9e4ebbb1886e9922c4f66d423fecec15ac26f4dc348fdd62ef75f1a
                    • Instruction Fuzzy Hash: 07112C726443007BE711FA14C853FAA7394AB40B04F50C81FB9956A1C1EBBCA855D79F
                    Function 0042DAE0 Relevance: 12.2, APIs: 8, Instructions: 210COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$_wcschr
                    • String ID:
                    • API String ID: 565560161-0
                    • Opcode ID: 2d990241f16ac3012c408bbc7474bb55ba02d0b759fa483369b146f7c56b06ab
                    • Instruction ID: c44d2d3b177bb4c968aeb01cc264f12d2e252c27716455c33e821b1e7030556b
                    • Opcode Fuzzy Hash: 2d990241f16ac3012c408bbc7474bb55ba02d0b759fa483369b146f7c56b06ab
                    • Instruction Fuzzy Hash: 246159B1F003206BDB24AF65F851A6B7BE49F01324F95417FE8459B381E67DA9408B5C
                    Function 05883F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 05883F65
                    • SetLastError.KERNEL32(0000139F,?,7591DFA0,05883648), ref: 05884054
                      • Part of subcall function 05882BC0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 05882BD6
                      • Part of subcall function 05882BC0: SwitchToThread.KERNEL32 ref: 05882BEA
                    • send.WS2_32(?,058A49C0,00000010,00000000), ref: 05883FC6
                    • SetEvent.KERNEL32(?), ref: 05883FE9
                    • InterlockedExchange.KERNEL32(?,00000000), ref: 05883FF5
                    • WSACloseEvent.WS2_32(?), ref: 05884003
                    • shutdown.WS2_32(?,00000001), ref: 0588401B
                    • closesocket.WS2_32(?), ref: 05884025
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                    • String ID:
                    • API String ID: 3254528666-0
                    • Opcode ID: 75d25e70d66e1f8c5eef34b5821653a73816d9ed580523fefb6a746534e0f48b
                    • Instruction ID: 6174ff8f3bf1be0af173835570e680fdc54c0fec7d8b38bd1db36326d33302ca
                    • Opcode Fuzzy Hash: 75d25e70d66e1f8c5eef34b5821653a73816d9ed580523fefb6a746534e0f48b
                    • Instruction Fuzzy Hash: AA21F5752107019BE730AB68D889B6BBBB5FB44B14F140D1CFA93C6A90DBB5F8418B50
                    Function 05884060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(?,?,00000000,05884039,?,7591DFA0,05883648), ref: 05884074
                    • ResetEvent.KERNEL32(?,?,00000000,05884039,?,7591DFA0,05883648), ref: 05884087
                    • ResetEvent.KERNEL32(?,?,00000000,05884039,?,7591DFA0,05883648), ref: 05884090
                    • ResetEvent.KERNEL32(?,?,00000000,05884039,?,7591DFA0,05883648), ref: 05884099
                      • Part of subcall function 05881350: HeapFree.KERNEL32(?,00000000,?,?,?,058840A6,?,00000000,05884039,?,7591DFA0,05883648), ref: 05881390
                      • Part of subcall function 05881420: HeapFree.KERNEL32(?,00000000,?,?,?,058840B1,?,00000000,05884039,?,7591DFA0,05883648), ref: 0588143D
                      • Part of subcall function 05881420: _free.LIBCMT ref: 05881459
                    • HeapDestroy.KERNEL32(?,?,00000000,05884039,?,7591DFA0,05883648), ref: 058840B9
                    • HeapCreate.KERNEL32(?,?,?,?,00000000,05884039,?,7591DFA0,05883648), ref: 058840D4
                    • SetEvent.KERNEL32(?,?,00000000,05884039,?,7591DFA0,05883648), ref: 05884150
                    • LeaveCriticalSection.KERNEL32(?,?,00000000,05884039,?,7591DFA0,05883648), ref: 05884157
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                    • String ID:
                    • API String ID: 1219087420-0
                    • Opcode ID: 0d550124100f534e0a397bc4fc7e33116c10c1156836a2a2622e92bba17d1841
                    • Instruction ID: cbe1b7dc6bb8f3ace79e18fbc670878f82c280c9fd6a277925512bb2bb561593
                    • Opcode Fuzzy Hash: 0d550124100f534e0a397bc4fc7e33116c10c1156836a2a2622e92bba17d1841
                    • Instruction Fuzzy Hash: ED312A75210602AFD745EB78D858BA6F7A8FF48314F148259E82AC7260DB35B951CFD0
                    Function 00414E99 Relevance: 12.1, APIs: 8, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 00414EA0
                    • std::_Lockit::_Lockit.LIBCPMT ref: 00414EAA
                    • int.LIBCPMT ref: 00414EC1
                      • Part of subcall function 00409F91: std::_Lockit::_Lockit.LIBCPMT ref: 00409FA2
                      • Part of subcall function 00409F91: std::_Lockit::~_Lockit.LIBCPMT ref: 00409FBC
                    • std::locale::_Getfacet.LIBCPMT ref: 00414ECA
                    • codecvt.LIBCPMT ref: 00414EE4
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00414F01
                    • std::_Facet_Register.LIBCPMT ref: 00414F20
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00414F29
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prolog3RegisterThrowcodecvtstd::locale::_
                    • String ID:
                    • API String ID: 1243920060-0
                    • Opcode ID: 9a37c4ca32d4f72e2577b2f97e864c81b1d01fadd4be8cf112c8562fdee9deb0
                    • Instruction ID: 345db9bcee593613158df028d78eab87863716f07e80e62ebecf6e8e7bc719ca
                    • Opcode Fuzzy Hash: 9a37c4ca32d4f72e2577b2f97e864c81b1d01fadd4be8cf112c8562fdee9deb0
                    • Instruction Fuzzy Hash: 8B01A1719001169BCF01EBA1C8429EE7325BF94328F14051FF4116B3D2DF3C9D468799
                    Function 05882140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 05881610: __vswprintf.LIBCMT ref: 05881646
                    • _malloc.LIBCMT ref: 05882330
                      • Part of subcall function 0588F563: __FF_MSGBANNER.LIBCMT ref: 0588F57C
                      • Part of subcall function 0588F563: __NMSG_WRITE.LIBCMT ref: 0588F583
                      • Part of subcall function 0588F563: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66), ref: 0588F5A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: AllocateHeap__vswprintf_malloc
                    • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                    • API String ID: 3723585974-868042568
                    • Opcode ID: cc86d02b55c46a9ecddee2ad3a8adad7bc64d780c5689db09821804ae670a0f4
                    • Instruction ID: da82da17bf61a331d39a718e9e9a284fbc78a78efeb8bccfcd97bfe1191b8e35
                    • Opcode Fuzzy Hash: cc86d02b55c46a9ecddee2ad3a8adad7bc64d780c5689db09821804ae670a0f4
                    • Instruction Fuzzy Hash: E9B1A279A042058BCF18EF68D894ABAB7A1FF44310F08456EDD4ADB346D731ED41CB91
                    Function 0042E6B9 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 5c4ca65f2282142b8e6d1775854e7d6824a520d0d30fe3e397f315a510141f05
                    • Instruction ID: c48e34c806fc93d00e6808c21d6ee457566fa3dbffcd52f3768e30c90bb6c12c
                    • Opcode Fuzzy Hash: 5c4ca65f2282142b8e6d1775854e7d6824a520d0d30fe3e397f315a510141f05
                    • Instruction Fuzzy Hash: FA61F771E00225AFDB20DF66E841BAABBF4FF45310F9441ABE984EB341D7789D418B58
                    Function 004139F0 Relevance: 10.7, APIs: 7, Instructions: 166COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fc7fe906b7f9ddf05f75b2de11bb7e3c3a2cea166a25cf8d3a130629215e81eb
                    • Instruction ID: c185e459d5539be06f88054b5743a15cb486ae588158876233ead096b3345e9b
                    • Opcode Fuzzy Hash: fc7fe906b7f9ddf05f75b2de11bb7e3c3a2cea166a25cf8d3a130629215e81eb
                    • Instruction Fuzzy Hash: 4B71C4B49007059FDB18DF29D485A95BBE0FF08710B20C56FE8698B752D7B4EA90CF94
                    Function 05881830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 05881878
                    • _free.LIBCMT ref: 058818B6
                    • _free.LIBCMT ref: 058818F5
                    • _free.LIBCMT ref: 05881935
                    • _free.LIBCMT ref: 0588195D
                    • _free.LIBCMT ref: 05881981
                    • _free.LIBCMT ref: 058819B9
                      • Part of subcall function 0588F529: RtlFreeHeap.NTDLL(00000000,00000000,?,05893D3C,00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66), ref: 0588F53F
                      • Part of subcall function 0588F529: GetLastError.KERNEL32(00000000,?,05893D3C,00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66,00000000), ref: 0588F551
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 98afb7ff4db5643a870946c7d347e85cdb3ed9801407c5c9bd83f51a36d578b6
                    • Instruction ID: f79428d4832f8b52915b2d751c761fbe70c26b613ce97e33be29e00348f6c080
                    • Opcode Fuzzy Hash: 98afb7ff4db5643a870946c7d347e85cdb3ed9801407c5c9bd83f51a36d578b6
                    • Instruction Fuzzy Hash: DA513BB2A002159FC714EF59D4C9875BBA6FF88314B1981ADD91AAF311CB32BD42CB91
                    Function 05883870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 05883883
                    • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 058838C4
                    • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 05883931
                    • GetCurrentThreadId.KERNEL32 ref: 0588395C
                    • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 058839F4
                    • SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 05883A22
                    • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 05883A39
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                    • String ID:
                    • API String ID: 3058130114-0
                    • Opcode ID: 5ad698a64ef987e4465725f92f2ca7762a22fe0a0748ecf861b7df627467a3ef
                    • Instruction ID: 6c0dd3e2602b9481b013b27adab0e603c0ba6b65f37269c65e7ca93a06b967bb
                    • Opcode Fuzzy Hash: 5ad698a64ef987e4465725f92f2ca7762a22fe0a0748ecf861b7df627467a3ef
                    • Instruction Fuzzy Hash: 9A5159706047019BDB20BB28CD89BBABBA5FF46B14F104919ED6AD7680EF74FD408B51
                    Function 0042EB8E Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 6dd356d4879980d832855e29057831adf0ab8e09fcd3e774d0a7f8609a170f3b
                    • Instruction ID: 351df5904e51b4d293894b82aa9459465cbd7e2b4bf20acada74d019c2f7d038
                    • Opcode Fuzzy Hash: 6dd356d4879980d832855e29057831adf0ab8e09fcd3e774d0a7f8609a170f3b
                    • Instruction Fuzzy Hash: 7A111DB1641768FAE520BBB2EC06FCBB7E85F01714FC0482BB2D9A6062D66DE5444754
                    Function 00410D3B Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 00410D42
                    • std::_Lockit::_Lockit.LIBCPMT ref: 00410D4D
                    • int.LIBCPMT ref: 00410D63
                      • Part of subcall function 00409F91: std::_Lockit::_Lockit.LIBCPMT ref: 00409FA2
                      • Part of subcall function 00409F91: std::_Lockit::~_Lockit.LIBCPMT ref: 00409FBC
                    • std::locale::_Getfacet.LIBCPMT ref: 00410D6C
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00410DAC
                    • std::_Facet_Register.LIBCPMT ref: 00410DC2
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00410DCB
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prolog3RegisterThrowstd::locale::_
                    • String ID:
                    • API String ID: 4117319562-0
                    • Opcode ID: fba0c2326c1434d078090c71260acb8fb395d3cf23103ac22208d4f800f413bf
                    • Instruction ID: 3e26b6b3d551c7a40d525d11b9e8ef738dc00214e4b62061d29b6b6ac4c15d42
                    • Opcode Fuzzy Hash: fba0c2326c1434d078090c71260acb8fb395d3cf23103ac22208d4f800f413bf
                    • Instruction Fuzzy Hash: C311A1729002199BCF01EFE5D8829EE7774BF48328B10451FF411A7291DB7C99858B9D
                    Function 0588E5A0 Relevance: 10.5, APIs: 7, Instructions: 44filesynchronizationstringCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF,00000000,?,?,0588E705,?,?,?,?,759223A0,00000000), ref: 0588E5AD
                    • CreateFileW.KERNEL32(058B0DC0,40000000,00000002,00000000,00000004,00000002,00000000,?,?,0588E705,?,?,?,?,759223A0,00000000), ref: 0588E5C7
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0588E5E2
                    • lstrlenW.KERNEL32(?,00000000,00000000), ref: 0588E5EF
                    • WriteFile.KERNEL32(00000000,?,00000000), ref: 0588E5FA
                    • CloseHandle.KERNEL32(00000000), ref: 0588E601
                    • ReleaseMutex.KERNEL32(?), ref: 0588E60E
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
                    • String ID:
                    • API String ID: 4202892810-0
                    • Opcode ID: a779da957ae72cc285aa8845d1ac992b4bbd317db1a7c594f9c3c52a9f385890
                    • Instruction ID: 5cf912018224c2928bc7b8d4afda70f4971aa44c0b7cd5e3cbd0b6977c2e41dc
                    • Opcode Fuzzy Hash: a779da957ae72cc285aa8845d1ac992b4bbd317db1a7c594f9c3c52a9f385890
                    • Instruction Fuzzy Hash: 72013675255210BBF234A794AC0FFAA3E6CEB05725F104204FF16E61C0DEB07900C7A5
                    Function 05893C1E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,058A6208,00000008,05893D26,00000000,00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C), ref: 05893C2F
                    • __lock.LIBCMT ref: 05893C63
                      • Part of subcall function 05898D4B: __mtinitlocknum.LIBCMT ref: 05898D61
                      • Part of subcall function 05898D4B: __amsg_exit.LIBCMT ref: 05898D6D
                      • Part of subcall function 05898D4B: EnterCriticalSection.KERNEL32(00000000,00000000,?,05893DF6,0000000D,058A6230,00000008,05893EED,00000000,?,05890FE0,00000000,058A6168,00000008,05891045,?), ref: 05898D75
                    • InterlockedIncrement.KERNEL32(?), ref: 05893C70
                    • __lock.LIBCMT ref: 05893C84
                    • ___addlocaleref.LIBCMT ref: 05893CA2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                    • String ID: KERNEL32.DLL
                    • API String ID: 637971194-2576044830
                    • Opcode ID: adc6ecc6f3e30806985b65a23ac2cd5577f21ba5d948bc31bee98fbeda7070bb
                    • Instruction ID: f02b896d784ffc9b74ede4abee312701c89a1405272bc07a11b277795ed4da0f
                    • Opcode Fuzzy Hash: adc6ecc6f3e30806985b65a23ac2cd5577f21ba5d948bc31bee98fbeda7070bb
                    • Instruction Fuzzy Hash: 9E015E71540B009AEB24AF69D409749FBE0BF51314F14490DEC9AD63A0CF74AE45CB52
                    Function 058A01EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • __getptd.LIBCMT ref: 058A020D
                      • Part of subcall function 05893D4B: __getptd_noexit.LIBCMT ref: 05893D4E
                      • Part of subcall function 05893D4B: __amsg_exit.LIBCMT ref: 05893D5B
                    • __getptd.LIBCMT ref: 058A021E
                    • __getptd.LIBCMT ref: 058A022C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: __getptd$__amsg_exit__getptd_noexit
                    • String ID: MOC$RCC$csm
                    • API String ID: 803148776-2671469338
                    • Opcode ID: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                    • Instruction ID: aef24aadf01b7ff3698453496f351b9a92d9f00e7801a3c7da4d3be22f89d532
                    • Opcode Fuzzy Hash: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                    • Instruction Fuzzy Hash: B3E01231204308CFEF259768C09DB7832D5BB85615F1904A5DC4DCB261DB28FC908A53
                    Function 0042307A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: __cftoe
                    • String ID:
                    • API String ID: 4189289331-0
                    • Opcode ID: 9e7c393f7913040c7c2fac54b8562294a6cc16eba612aa0d52204cfc202d269d
                    • Instruction ID: 9724f99bbef3ba2ae2681cf2a2be8895b7bffa32eb9f01a1a5dc954d3494b116
                    • Opcode Fuzzy Hash: 9e7c393f7913040c7c2fac54b8562294a6cc16eba612aa0d52204cfc202d269d
                    • Instruction Fuzzy Hash: 0A512E71B00224BBDB209F59EC41EBB77B8DF49325F94421FF81596281DB3CDA50866C
                    Function 05889C20 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                    Download Yara Rule
                    APIs
                    • _malloc.LIBCMT ref: 05889C2F
                      • Part of subcall function 0588F563: __FF_MSGBANNER.LIBCMT ref: 0588F57C
                      • Part of subcall function 0588F563: __NMSG_WRITE.LIBCMT ref: 0588F583
                      • Part of subcall function 0588F563: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66), ref: 0588F5A8
                    • _free.LIBCMT ref: 05889C53
                    • _memset.LIBCMT ref: 05889CAB
                      • Part of subcall function 0588A600: GetObjectW.GDI32(?,00000054,?), ref: 0588A61E
                    • CreateDIBSection.GDI32(00000000,00000008,00000000,00000000,00000000,00000000), ref: 05889CC3
                    • _free.LIBCMT ref: 05889CD4
                    • _free.LIBCMT ref: 05889D13
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: _free$AllocateCreateHeapObjectSection_malloc_memset
                    • String ID:
                    • API String ID: 1756752955-0
                    • Opcode ID: d20cae4b994269b7b2de440a2c9ee0123b5e9d67542188d57c81d535cd8aa531
                    • Instruction ID: 48054bb7be2b6a1ceec6cbcd940520668bdd2f802df5d33924b401a4762be7f1
                    • Opcode Fuzzy Hash: d20cae4b994269b7b2de440a2c9ee0123b5e9d67542188d57c81d535cd8aa531
                    • Instruction Fuzzy Hash: FF3190B26003066BE710EF6AD980B76B7D9FB54314F00853AEE0AC7641E7B1E954C795
                    Function 05885080 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(000002FF), ref: 058850CA
                    • WSASetLastError.WS2_32(0000139F), ref: 058850E2
                    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 058850EC
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterErrorLastLeave
                    • String ID:
                    • API String ID: 4082018349-0
                    • Opcode ID: 8e07597c2fb162b6a65fccb697ca907dad91a3800fb4e7e7410a9904535ddab6
                    • Instruction ID: 6e68d0217ed1dc878c7fa434690bb456d665d2dd6c7f382e5a64a9cc7eaeb147
                    • Opcode Fuzzy Hash: 8e07597c2fb162b6a65fccb697ca907dad91a3800fb4e7e7410a9904535ddab6
                    • Instruction Fuzzy Hash: 46319A7AA44304ABE720EF58D886F7AB7A8FB48710F00455AFD16C3680EB36B810CB51
                    Function 00427468 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: __alldvrm$_strrchr
                    • String ID: wA
                    • API String ID: 1036877536-2642313842
                    • Opcode ID: 81a7f3e143f0c3902e971790fd065bb8be4de18eb659e71127858b440c70fc8e
                    • Instruction ID: 4b44f96e34cf7c20bef16c9bbc2aea76bfff12a845b3ea55e709f6a113a867cf
                    • Opcode Fuzzy Hash: 81a7f3e143f0c3902e971790fd065bb8be4de18eb659e71127858b440c70fc8e
                    • Instruction Fuzzy Hash: AFA15671B087A69FDB218F28D881BAFBBE1EF55350F9441AFE4859B341C23C9981C758
                    Function 058A049E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __CreateFrameInfo.LIBCMT ref: 058A04C6
                      • Part of subcall function 0589FFA7: __getptd.LIBCMT ref: 0589FFB5
                      • Part of subcall function 0589FFA7: __getptd.LIBCMT ref: 0589FFC3
                    • __getptd.LIBCMT ref: 058A04D0
                      • Part of subcall function 05893D4B: __getptd_noexit.LIBCMT ref: 05893D4E
                      • Part of subcall function 05893D4B: __amsg_exit.LIBCMT ref: 05893D5B
                    • __getptd.LIBCMT ref: 058A04DE
                    • __getptd.LIBCMT ref: 058A04EC
                    • __getptd.LIBCMT ref: 058A04F7
                    • _CallCatchBlock2.LIBCMT ref: 058A051D
                      • Part of subcall function 058A004C: __CallSettingFrame@12.LIBCMT ref: 058A0098
                      • Part of subcall function 058A05C4: __getptd.LIBCMT ref: 058A05D3
                      • Part of subcall function 058A05C4: __getptd.LIBCMT ref: 058A05E1
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                    • String ID:
                    • API String ID: 1602911419-0
                    • Opcode ID: 08a57af2580cfcbd1530751a9dc6dcc3e137957f18e7e99ce621ec8fd56cac22
                    • Instruction ID: a50c4bab77f7ba6221fa70036f2e4f61fb739df897f86415ba6e2dc071cbeb30
                    • Opcode Fuzzy Hash: 08a57af2580cfcbd1530751a9dc6dcc3e137957f18e7e99ce621ec8fd56cac22
                    • Instruction Fuzzy Hash: 2A11F671E00309DFDF44EFA8C488AADBBB0FF18314F148469E854EB250DB789A119F51
                    Function 05894775 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __getptd.LIBCMT ref: 05894781
                      • Part of subcall function 05893D4B: __getptd_noexit.LIBCMT ref: 05893D4E
                      • Part of subcall function 05893D4B: __amsg_exit.LIBCMT ref: 05893D5B
                    • __amsg_exit.LIBCMT ref: 058947A1
                    • __lock.LIBCMT ref: 058947B1
                    • InterlockedDecrement.KERNEL32(?), ref: 058947CE
                    • _free.LIBCMT ref: 058947E1
                    • InterlockedIncrement.KERNEL32(05A71668), ref: 058947F9
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                    • String ID:
                    • API String ID: 3470314060-0
                    • Opcode ID: 15f895ac8c983d855cb3191e097c5fef456c76519a2c4ada060a0cbcf1eb3962
                    • Instruction ID: 2161b70f6bc78e8e2d48a29fb40102c0451704446269893099f2b219618b4839
                    • Opcode Fuzzy Hash: 15f895ac8c983d855cb3191e097c5fef456c76519a2c4ada060a0cbcf1eb3962
                    • Instruction Fuzzy Hash: 6E01C439A19719BBEF29AF68944976EBB60BF46710F0C0105EC05E76A0DB346D43CBD2
                    Function 05889B90 Relevance: 9.0, APIs: 6, Instructions: 42COMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(?), ref: 05889BC2
                    • EnterCriticalSection.KERNEL32(058AFBA4,?,?,?,05889B6B), ref: 05889BD3
                    • EnterCriticalSection.KERNEL32(058AFBA4,?,?,?,05889B6B), ref: 05889BE8
                    • GdiplusShutdown.GDIPLUS(00000000,?,?,?,05889B6B), ref: 05889BF4
                    • LeaveCriticalSection.KERNEL32(058AFBA4,?,?,?,05889B6B), ref: 05889C05
                    • LeaveCriticalSection.KERNEL32(058AFBA4,?,?,?,05889B6B), ref: 05889C0C
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
                    • String ID:
                    • API String ID: 4268643673-0
                    • Opcode ID: 95db3bb029a2a19abb9b4bfdb5c384d681ff83e5d15330b0bb8a2fe8a269ddc5
                    • Instruction ID: 1f38e8aee6b878a1f3d4d8a33e037f4727793803bcc71cb93bcb5c68a25414fe
                    • Opcode Fuzzy Hash: 95db3bb029a2a19abb9b4bfdb5c384d681ff83e5d15330b0bb8a2fe8a269ddc5
                    • Instruction Fuzzy Hash: C0011EBA511200AFA724AF6AD891455BFB4FE4831437481AEEA09CA211C776D803CF91
                    Function 058848D0 Relevance: 9.0, APIs: 6, Instructions: 36sleepsynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 058848E1
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 058848EC
                    • Sleep.KERNEL32(00000258), ref: 058848F9
                    • CloseHandle.KERNEL32(?), ref: 05884914
                    • CloseHandle.KERNEL32(?), ref: 0588491D
                    • Sleep.KERNEL32(0000012C), ref: 0588492E
                      • Part of subcall function 05883F60: GetCurrentThreadId.KERNEL32 ref: 05883F65
                      • Part of subcall function 05883F60: send.WS2_32(?,058A49C0,00000010,00000000), ref: 05883FC6
                      • Part of subcall function 05883F60: SetEvent.KERNEL32(?), ref: 05883FE9
                      • Part of subcall function 05883F60: InterlockedExchange.KERNEL32(?,00000000), ref: 05883FF5
                      • Part of subcall function 05883F60: WSACloseEvent.WS2_32(?), ref: 05884003
                      • Part of subcall function 05883F60: shutdown.WS2_32(?,00000001), ref: 0588401B
                      • Part of subcall function 05883F60: closesocket.WS2_32(?), ref: 05884025
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                    • String ID:
                    • API String ID: 1019945655-0
                    • Opcode ID: c9f3319a0d73ae341057c17f8c353a3eb615f6860eed096ea4d32e55e4f06399
                    • Instruction ID: a9d09b153938e8af569d5fc4360c9321b9e362f4b964b8d4005a44b92f8c718f
                    • Opcode Fuzzy Hash: c9f3319a0d73ae341057c17f8c353a3eb615f6860eed096ea4d32e55e4f06399
                    • Instruction Fuzzy Hash: 75F03A762047055BD624EBADDC84D5AF3E9EFC9720B254B09F66A83294CE71FC01CBA0
                    Function 05883300 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 05883311
                    • Sleep.KERNEL32(00000258), ref: 0588331E
                    • InterlockedExchange.KERNEL32(?,00000000), ref: 05883326
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 05883332
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0588333A
                    • Sleep.KERNEL32(0000012C), ref: 0588334B
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                    • String ID:
                    • API String ID: 3137405945-0
                    • Opcode ID: 53d4a2bbce45df0f0cf91e2503bfc6b8c084f7338561c0df2a80c5ffe5f016f9
                    • Instruction ID: 0322932d3840ce8ea57a96ed858eeb3a2cead0751f4ec6a683afce2510031ab3
                    • Opcode Fuzzy Hash: 53d4a2bbce45df0f0cf91e2503bfc6b8c084f7338561c0df2a80c5ffe5f016f9
                    • Instruction Fuzzy Hash: 45F082762043146BD620EBA9DC84D46F7E8AF89334B204709F622832D0CEB0F801CB60
                    Function 058A084B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBCMT ref: 058A085E
                      • Part of subcall function 058A07B9: ___BuildCatchObjectHelper.LIBCMT ref: 058A07EF
                    • _UnwindNestedFrames.LIBCMT ref: 058A0875
                    • ___FrameUnwindToState.LIBCMT ref: 058A0883
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                    • String ID: csm$csm
                    • API String ID: 2163707966-3733052814
                    • Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                    • Instruction ID: a54c3226fb4e37041f71358c16847cc1a0fecb7fd68bfed26b5180a5046c6354
                    • Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                    • Instruction Fuzzy Hash: 8F012432501209FBEF126F55CC49EAA3E6AFF08354F048020FD19A4120D732D9B1DBA6
                    Function 00409E21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 00409E28
                    • std::_Lockit::_Lockit.LIBCPMT ref: 00409E35
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00409E8B
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00409E94
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$DispatcherExceptionException@8H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_ThrowUser
                    • String ID: bad locale name
                    • API String ID: 1777175881-1405518554
                    • Opcode ID: 4c3a0f8ec2c3b43e9b1622e9d0a7fb89ca61f0daff3e45d9e1ae790c5f287f22
                    • Instruction ID: cfe6bd4e532655e878cb0836463bed52bd20e80a7a65bbd5992059e6844203c4
                    • Opcode Fuzzy Hash: 4c3a0f8ec2c3b43e9b1622e9d0a7fb89ca61f0daff3e45d9e1ae790c5f287f22
                    • Instruction Fuzzy Hash: B2015270805B44DEC720DF6A848158FFBF0BF28304B90896FE09AD3642D778A644CB9D
                    Function 00432FE4 Relevance: 7.8, APIs: 5, Instructions: 300COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3d53f7e32576e54633436ab6eeedae57057275b2ea6181c95bf9cc80636d15c4
                    • Instruction ID: 1f8f9782ed87a95c96184f7aad462c1dd6ff963d09757823ca4ae9369b69b995
                    • Opcode Fuzzy Hash: 3d53f7e32576e54633436ab6eeedae57057275b2ea6181c95bf9cc80636d15c4
                    • Instruction Fuzzy Hash: 0BC11874E04355AFDB11CFA9D841BAEBBF0BF0E311F14519AE840A7392C7789A41CB69
                    Function 00428D1B Relevance: 7.7, APIs: 5, Instructions: 216COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: __freea$__alloca_probe_16
                    • String ID:
                    • API String ID: 3509577899-0
                    • Opcode ID: d0dd8fbe2648c77ef7f48df0b1fb282a909e615fb878a9b12c65857eb686fbec
                    • Instruction ID: 7038e7a57921961d2bdd141ff5ef0515588d8eed05a9a9c2da12446ee4e61558
                    • Opcode Fuzzy Hash: d0dd8fbe2648c77ef7f48df0b1fb282a909e615fb878a9b12c65857eb686fbec
                    • Instruction Fuzzy Hash: 2A510072711226AFEB258F65ED41EAF77AAEB40710F56022EFD04D6280DF38DC80C658
                    Function 00425E0E Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 3c1cb713d673844b544b3dba7a79ca6b67edd168104f8e9a2033e051dc06e7ea
                    • Instruction ID: 0010de04d6ea9ada81e678e3f09ba0067e35f14b19d86f3add10b6b496701751
                    • Opcode Fuzzy Hash: 3c1cb713d673844b544b3dba7a79ca6b67edd168104f8e9a2033e051dc06e7ea
                    • Instruction Fuzzy Hash: 3751E271B01A14AFDB20DF29ED41B6AB7F4EF18724F95416EE809DB250E7399A018B48
                    Function 00424F8D Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: f9caa18d7d6590dbb990782714064f7ff0d7bfa22d9277ebfea798ba4fa04c8f
                    • Instruction ID: 9a994b52d9d8ed19c6a3bbd8f1ae60250289c68a0f4bd3580780396e8ce9ed52
                    • Opcode Fuzzy Hash: f9caa18d7d6590dbb990782714064f7ff0d7bfa22d9277ebfea798ba4fa04c8f
                    • Instruction Fuzzy Hash: 5741D172F006109FCB24DF78D880A5EB3B5EF85314F5546AEE505EB391DA35AD02CB84
                    Function 0588B8F0 Relevance: 7.6, APIs: 5, Instructions: 116processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,A97BC7BB), ref: 0588B93A
                    • _memset.LIBCMT ref: 0588B95B
                    • _memset.LIBCMT ref: 0588B9AB
                    • Process32FirstW.KERNEL32(00000000,?), ref: 0588B9C5
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0588BA17
                      • Part of subcall function 0588F5F7: _malloc.LIBCMT ref: 0588F611
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Process32_memset$CreateFirstNextSnapshotToolhelp32_malloc
                    • String ID:
                    • API String ID: 2416807333-0
                    • Opcode ID: b6e7e152db22d2f245606a39c9b459826cded906894871374e2dd8b41bbe3ee0
                    • Instruction ID: f6b638640e9b8886a1331519a13edbcd9f0d544181e0b979e2af902090c3ec56
                    • Opcode Fuzzy Hash: b6e7e152db22d2f245606a39c9b459826cded906894871374e2dd8b41bbe3ee0
                    • Instruction Fuzzy Hash: 6A410471A40249DAEB20EF64CC89FBAB3A9FF44715F0042A4ED15DB280E775AE40CB91
                    Function 05883CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                    Download Yara Rule
                    APIs
                    • recv.WS2_32(?,?,00000598,00000000), ref: 05883CBF
                    • SetLastError.KERNEL32(00000000,?,?,0588399F,?,?,00000000,000000FF,00000000), ref: 05883CFA
                    • GetLastError.KERNEL32(00000000), ref: 05883D45
                    • WSAGetLastError.WS2_32(?,?,0588399F,?,?,00000000,000000FF,00000000), ref: 05883D7B
                    • WSASetLastError.WS2_32(0000000D,?,?,0588399F,?,?,00000000,000000FF,00000000), ref: 05883DA2
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ErrorLast$recv
                    • String ID:
                    • API String ID: 316788870-0
                    • Opcode ID: 03bd0d94a1bd8c1697f1d1891b0947e43812c05e272e75d2a5751e5fe1aaf70f
                    • Instruction ID: 3e843818939ceab30e274ce372480b693467ac8e0b17bbd265ebbd1007d54219
                    • Opcode Fuzzy Hash: 03bd0d94a1bd8c1697f1d1891b0947e43812c05e272e75d2a5751e5fe1aaf70f
                    • Instruction Fuzzy Hash: 9631D5726142009FFB64EF68DCC8B753B6AFB45724F100926ED06DB295DB71EC408A51
                    Function 05890DDB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _malloc.LIBCMT ref: 05890DE9
                      • Part of subcall function 0588F563: __FF_MSGBANNER.LIBCMT ref: 0588F57C
                      • Part of subcall function 0588F563: __NMSG_WRITE.LIBCMT ref: 0588F583
                      • Part of subcall function 0588F563: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66), ref: 0588F5A8
                    • _free.LIBCMT ref: 05890DFC
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: AllocateHeap_free_malloc
                    • String ID:
                    • API String ID: 1020059152-0
                    • Opcode ID: fd2ac78fa1722de966b5a6e197749b3e810ae4e4caf5cf92ffdd6ee3046e30cf
                    • Instruction ID: 597bbd3074ef0ca801da9caf4db8821e3140a0ef087a2c12b2c556e342c4ac15
                    • Opcode Fuzzy Hash: fd2ac78fa1722de966b5a6e197749b3e810ae4e4caf5cf92ffdd6ee3046e30cf
                    • Instruction Fuzzy Hash: FB11AB36514715DFDF297F78A80CA7E3BA6EF406A0B14452DFD8AD6140DF349D408A91
                    Function 0041D938 Relevance: 7.6, APIs: 5, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0041D954
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0041D96D
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Value___vcrt_
                    • String ID:
                    • API String ID: 1426506684-0
                    • Opcode ID: 0c7becb860c4ceb1ba37a92dc874555c8470353414b1d7ed09414db1a019cb8f
                    • Instruction ID: 9f1d0ef141483d4474d6a2c887d1df3b345939b67702fb139500f35742550c41
                    • Opcode Fuzzy Hash: 0c7becb860c4ceb1ba37a92dc874555c8470353414b1d7ed09414db1a019cb8f
                    • Instruction Fuzzy Hash: AD0124F3F287116EA7242B76BC869A727A6DB42338720023FF910852E1EF194C80555C
                    Function 05882C10 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                    Download Yara Rule
                    APIs
                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 05882C3F
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 05882C55
                    • TranslateMessage.USER32(?), ref: 05882C64
                    • DispatchMessageW.USER32(?), ref: 05882C6A
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 05882C78
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                    • String ID:
                    • API String ID: 2015114452-0
                    • Opcode ID: a38b874eb4c84b6e4435e4ed58900769e929182186f513e913fcf89ef9df12c7
                    • Instruction ID: 204eed7e951908e29fc8a7965aada3b0d01fc73428e3ba8783fa8738010b7efc
                    • Opcode Fuzzy Hash: a38b874eb4c84b6e4435e4ed58900769e929182186f513e913fcf89ef9df12c7
                    • Instruction Fuzzy Hash: 41018B7665031E76E620E7949C82FFA77ADEB44710F504515FF06EA0C4EAA4BC0187A5
                    Function 05884B70 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 05884B83
                    • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 05884B8D
                    • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 05884BA0
                    • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 05884BA3
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterLeave
                    • String ID:
                    • API String ID: 3168844106-0
                    • Opcode ID: 4dff95aab73e0daa900c9fe57af2f58a44858f4c23caf676aedf385d1394e26d
                    • Instruction ID: aeadc65a61d89dea3067f9ae3bb99bf2e3e11eadcb5fe27701789ea766c46497
                    • Opcode Fuzzy Hash: 4dff95aab73e0daa900c9fe57af2f58a44858f4c23caf676aedf385d1394e26d
                    • Instruction Fuzzy Hash: 54018F762102108BE720EB69FCC4B6BB7E8EB88318F050829E906C3200DB75FC46CB60
                    Function 0042E650 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 1246edc347e60225d4aaa016120baa679a374c5ba24d5788d3149f9dbbfbefda
                    • Instruction ID: b43925895765d2f009bd14c59b52728ecd4078afb275fdc814e9387682b56302
                    • Opcode Fuzzy Hash: 1246edc347e60225d4aaa016120baa679a374c5ba24d5788d3149f9dbbfbefda
                    • Instruction Fuzzy Hash: 12F044B2A11260678620DF5AF485C0AB3E9BA013107D44C0AF044D7650CB7CFC808A5C
                    Function 05894EF6 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __getptd.LIBCMT ref: 05894F02
                      • Part of subcall function 05893D4B: __getptd_noexit.LIBCMT ref: 05893D4E
                      • Part of subcall function 05893D4B: __amsg_exit.LIBCMT ref: 05893D5B
                    • __getptd.LIBCMT ref: 05894F19
                    • __amsg_exit.LIBCMT ref: 05894F27
                    • __lock.LIBCMT ref: 05894F37
                    • __updatetlocinfoEx_nolock.LIBCMT ref: 05894F4B
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                    • String ID:
                    • API String ID: 938513278-0
                    • Opcode ID: cd37e0ad243a1ff59c266ecd70eb613ac128bf2d1453a4df09f9495bf9e886b9
                    • Instruction ID: 4fff686403c626f3ddfc04a65de983783a701025ab360b52546efc67ba3eb207
                    • Opcode Fuzzy Hash: cd37e0ad243a1ff59c266ecd70eb613ac128bf2d1453a4df09f9495bf9e886b9
                    • Instruction Fuzzy Hash: F6F0F032A087019AEF6DBBAC6409B6D37A0BF80A20F0C0108EC45EB1E0CF245C438A57
                    Function 058875A0 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 058875C2
                    • GetCommandLineW.KERNEL32 ref: 058875C8
                    • GetStartupInfoW.KERNEL32(?), ref: 058875D7
                    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 058875FF
                    • ExitProcess.KERNEL32 ref: 05887607
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                    • String ID:
                    • API String ID: 3421218197-0
                    • Opcode ID: 5e5d6a3d0bb5ec0900785c5d7041053e8d67a7514e2dd2731f2e8dfe4c88aa3a
                    • Instruction ID: 2e4af7ebf4a032faa37a7351209de09721d08503ad6dbff698065920f0fc1f04
                    • Opcode Fuzzy Hash: 5e5d6a3d0bb5ec0900785c5d7041053e8d67a7514e2dd2731f2e8dfe4c88aa3a
                    • Instruction Fuzzy Hash: D2F03075694319BBF730ABA4DC4EFD97B78FB04B10F200294BA1BA60C0EA707A44CB54
                    Function 0588C850 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 0588C872
                    • GetCommandLineW.KERNEL32 ref: 0588C878
                    • GetStartupInfoW.KERNEL32(?), ref: 0588C887
                    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0588C8AF
                    • ExitProcess.KERNEL32 ref: 0588C8B7
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                    • String ID:
                    • API String ID: 3421218197-0
                    • Opcode ID: 91601382ff5d83d8695c82c61649a18808741a84245775ed3f00336884e878d2
                    • Instruction ID: 07f72209f626507d87be4eb000e5b4ac96ebe4e206716eb9e766068713a27b8a
                    • Opcode Fuzzy Hash: 91601382ff5d83d8695c82c61649a18808741a84245775ed3f00336884e878d2
                    • Instruction Fuzzy Hash: 7DF0B275594319BBE7349BA4DC4EFDA7B78FB04711F100294BA16A60D0DE707A44CB54
                    Function 004251DC Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 771dc786f6658a9024399fe430c2f8de96f5a30e7c847e001a4952b0482f1834
                    • Instruction ID: 6709fa6e4bdbb06f3ebb60afa057886f26c0b5fe9bfe4956f2568c2b130e8363
                    • Opcode Fuzzy Hash: 771dc786f6658a9024399fe430c2f8de96f5a30e7c847e001a4952b0482f1834
                    • Instruction Fuzzy Hash: C1F0F4FDD62AF09B9602AF25FC214057B60EB1B725381413BF450922B1CB7C2A85CF8D
                    Function 0588F8A8 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 05891BC0: _doexit.LIBCMT ref: 05891BCC
                    • ___set_flsgetvalue.LIBCMT ref: 0588F8BA
                      • Part of subcall function 05893B90: TlsGetValue.KERNEL32(00000000,05893CE9,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66,00000000,00000000), ref: 05893B99
                      • Part of subcall function 05893B90: DecodePointer.KERNEL32(?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66,00000000,00000000,?,05893DF6,0000000D), ref: 05893BAB
                      • Part of subcall function 05893B90: TlsSetValue.KERNEL32(00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66,00000000,00000000,?,05893DF6), ref: 05893BBA
                    • ___fls_getvalue@4.LIBCMT ref: 0588F8C5
                      • Part of subcall function 05893B70: TlsGetValue.KERNEL32(?,?,0588F8CA,00000000), ref: 05893B7E
                    • ___fls_setvalue@8.LIBCMT ref: 0588F8D8
                      • Part of subcall function 05893BC4: DecodePointer.KERNEL32(?,?,?,0588F8DD,00000000,?,00000000), ref: 05893BD5
                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 0588F8E1
                    • ExitThread.KERNEL32 ref: 0588F8E8
                    • GetCurrentThreadId.KERNEL32 ref: 0588F8EE
                    • __freefls@4.LIBCMT ref: 0588F90E
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                    • String ID:
                    • API String ID: 781180411-0
                    • Opcode ID: 19201788671fea6e62c8e1bde4c9af8713e563596902a75fc9d90c6a5b1743cb
                    • Instruction ID: 500b788dd413ea1fa03689627881bee98b3677e69756b5e2148f837a9b0ec4bb
                    • Opcode Fuzzy Hash: 19201788671fea6e62c8e1bde4c9af8713e563596902a75fc9d90c6a5b1743cb
                    • Instruction Fuzzy Hash: 0BE0BF35A003157BEF1937B98D1DD6F7A5DED45251B180810BE11D3400EE259D518AA3
                    Function 004153CE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3_
                    • String ID:
                    • API String ID: 2427045233-3916222277
                    • Opcode ID: ed88852d9e5b72fa1a2168c25b96882fc1d6d66d9f13d84725e8bcda2c298194
                    • Instruction ID: ab2bdeaa32475ffbe1317f571ddec7eb762e6d7c5f6d142f4f9cf111bbc0b9aa
                    • Opcode Fuzzy Hash: ed88852d9e5b72fa1a2168c25b96882fc1d6d66d9f13d84725e8bcda2c298194
                    • Instruction Fuzzy Hash: 38517031A10609EFCF14CF94D480AEEB7B2BF88314F54441EE406A7380D738A9C5CB69
                    Function 004168CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3_
                    • String ID:
                    • API String ID: 2427045233-3916222277
                    • Opcode ID: e7d2c7d8d4cceb7a39c05c754bcd5c88fae731caf0d7c4f9f09bfeb02e9547a1
                    • Instruction ID: 0d92959fdd7041aa1dedf74cd9a06e15f03f2e841f68a839bebb7bffc2c872a2
                    • Opcode Fuzzy Hash: e7d2c7d8d4cceb7a39c05c754bcd5c88fae731caf0d7c4f9f09bfeb02e9547a1
                    • Instruction Fuzzy Hash: 4951AD719102059FDF24DF54C580AEEB7B2BF49364F15842AE842B7280EB38E985CB68
                    Function 00410AD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3_catchchar_traits
                    • String ID: Failed to get executable path$XD
                    • API String ID: 1964944973-734729076
                    • Opcode ID: 3d920f690cad0d79b8f4c164cfb21b26005b63f36f4fb9cec8e3598886380759
                    • Instruction ID: 994170f763681c9e384b44c0273faa991b16c9c9827b501969fdf731a4adc734
                    • Opcode Fuzzy Hash: 3d920f690cad0d79b8f4c164cfb21b26005b63f36f4fb9cec8e3598886380759
                    • Instruction Fuzzy Hash: 7D51A435A002558FDB20CBA9C5C09AE77F1BF08714F28419AE5159B391C6B8ACC2CB9C
                    Function 05889420 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    • std::_Xinvalid_argument.LIBCPMT ref: 0588943A
                      • Part of subcall function 0588EE76: std::exception::exception.LIBCMT ref: 0588EE8B
                      • Part of subcall function 0588EE76: __CxxThrowException@8.LIBCMT ref: 0588EEA0
                      • Part of subcall function 0588EE76: std::exception::exception.LIBCMT ref: 0588EEB1
                    • std::_Xinvalid_argument.LIBCPMT ref: 05889472
                      • Part of subcall function 0588EE29: std::exception::exception.LIBCMT ref: 0588EE3E
                      • Part of subcall function 0588EE29: __CxxThrowException@8.LIBCMT ref: 0588EE53
                      • Part of subcall function 0588EE29: std::exception::exception.LIBCMT ref: 0588EE64
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                    • String ID: invalid string position$string too long
                    • API String ID: 1823113695-4289949731
                    • Opcode ID: 7156c2dca320b0891893607cde0e2013dce50977c0cc4a4c3eb1f9e0692e5d44
                    • Instruction ID: 4e9292139044cb59b3160cc1bc16f752cf6330f4752b28fb593eaab30f9f6f51
                    • Opcode Fuzzy Hash: 7156c2dca320b0891893607cde0e2013dce50977c0cc4a4c3eb1f9e0692e5d44
                    • Instruction Fuzzy Hash: 232182333046149BD721FE6CE880E7AF7D9EB91665B200A2FE996CB740D672DC44C7A1
                    Function 058884A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • std::_Xinvalid_argument.LIBCPMT ref: 058884B9
                      • Part of subcall function 0588EE76: std::exception::exception.LIBCMT ref: 0588EE8B
                      • Part of subcall function 0588EE76: __CxxThrowException@8.LIBCMT ref: 0588EEA0
                      • Part of subcall function 0588EE76: std::exception::exception.LIBCMT ref: 0588EEB1
                    • std::_Xinvalid_argument.LIBCPMT ref: 058884D7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                    • String ID: invalid string position$string too long
                    • API String ID: 963545896-4289949731
                    • Opcode ID: 20ce08a7ead6481218398797544fc1cbb71b25c3bcd1eecf9dfdddbb0ea04072
                    • Instruction ID: 993dad8663a7d76b05d4c7f002df5e7f38a61ce782b3d5305f2b847173850948
                    • Opcode Fuzzy Hash: 20ce08a7ead6481218398797544fc1cbb71b25c3bcd1eecf9dfdddbb0ea04072
                    • Instruction Fuzzy Hash: 7C218C72304306AB8B14EF68E890C7973AAFF882147504A29ED06CB751EB30ED58CB95
                    Function 0588B758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 0588B777
                    • RegCloseKey.ADVAPI32(?), ref: 0588B782
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CloseDeleteValue
                    • String ID: Console$IpDatespecial
                    • API String ID: 2831762973-1840232981
                    • Opcode ID: 26cf1461c163e3b495c699fdea7647ac94d50b222634989cc956c9431b284399
                    • Instruction ID: c325dab80da3814507cff4add6bd1bc77b1a8b8a4689f6a55c96cac7b2bb299e
                    • Opcode Fuzzy Hash: 26cf1461c163e3b495c699fdea7647ac94d50b222634989cc956c9431b284399
                    • Instruction Fuzzy Hash: 61D0C237340300EFE210EA94EC8AF2AF394EB88711F00840AFF02E214089B0B845DB61
                    Function 0588D770 Relevance: 6.4, APIs: 5, Instructions: 140COMMON
                    Download Yara Rule
                    APIs
                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 0588D7A8
                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 0588D878
                    • SetLastError.KERNEL32(0000007F), ref: 0588D8A3
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Read$ErrorLast
                    • String ID:
                    • API String ID: 2715074504-0
                    • Opcode ID: 9b8ffe8695cdf902ac53edc93f97308f553c81ec88ca0358093c28035a21c0fe
                    • Instruction ID: a010a7ad59e56835256646c35c5f77c5da318861633c357fa925966e1fe3d692
                    • Opcode Fuzzy Hash: 9b8ffe8695cdf902ac53edc93f97308f553c81ec88ca0358093c28035a21c0fe
                    • Instruction Fuzzy Hash: 0D418C75A052059BEB20EF99D881A6AF7FAFF88314F148959EC0AD7780D774F901CB90
                    Function 0589A4B2 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0589A4E6
                    • __isleadbyte_l.LIBCMT ref: 0589A519
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 0589A54A
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 0589A5B8
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: 9365f7f79dbd02f5da7db392e7a05b1d02002207c7f075c474a6bd2292f93791
                    • Instruction ID: c58ee52d2750bf5682c51dd95cd75c21b1666d76912688c01a0426d0198412b3
                    • Opcode Fuzzy Hash: 9365f7f79dbd02f5da7db392e7a05b1d02002207c7f075c474a6bd2292f93791
                    • Instruction Fuzzy Hash: 5E31A071B04255EFDF2CDFA8C8849BE3BA5BF01211F1885A9E866DB190E730ED40DB51
                    Function 05888010 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: lstrlen$_memset
                    • String ID:
                    • API String ID: 2425037729-0
                    • Opcode ID: f1c0d9e45d4233e67239433d12de6dc7664b1e1c2b8269df191dec27339f8cdd
                    • Instruction ID: fe8ae1d18af8ec23ea3f80d3d7e6846afea768dd7007e9fd883be4f7125a9f87
                    • Opcode Fuzzy Hash: f1c0d9e45d4233e67239433d12de6dc7664b1e1c2b8269df191dec27339f8cdd
                    • Instruction Fuzzy Hash: 5E21DA76B042185BCF28EE6CDC809BE73AAFBC4710B65846DED09D7201F771AD518BA1
                    Function 05884380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                    Download Yara Rule
                    APIs
                    • SetLastError.KERNEL32(0000139F), ref: 058843EC
                      • Part of subcall function 058813A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 058813CB
                      • Part of subcall function 058841E0: EnterCriticalSection.KERNEL32(05884FB5,05884E55,058842BE,00000000,?,?,05884E55,?,?,?,?,00000000,000000FF), ref: 058841E8
                      • Part of subcall function 058841E0: LeaveCriticalSection.KERNEL32(05884FB5,?,?,?,00000000,000000FF), ref: 058841F6
                      • Part of subcall function 05884C70: HeapFree.KERNEL32(?,00000000,?,00000000,05884E55,?,058842C8,05884E55,00000000,?,?,05884E55,?), ref: 05884C97
                    • SetLastError.KERNEL32(00000000,?), ref: 058843D7
                    • SetLastError.KERNEL32(00000057), ref: 05884401
                    • WSAGetLastError.WS2_32(?), ref: 05884410
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ErrorLast$CriticalHeapSection$AllocEnterFreeLeave
                    • String ID:
                    • API String ID: 2060118545-0
                    • Opcode ID: f9f6ccf4d917fd4a514f7b330a65bbed5d39ada1c41db0a7a43a599ad2482d32
                    • Instruction ID: c96b5cdd2b8a866c0f7ff3f30d01ae0f61a9250a2c6a2e2e8434b00e304109cc
                    • Opcode Fuzzy Hash: f9f6ccf4d917fd4a514f7b330a65bbed5d39ada1c41db0a7a43a599ad2482d32
                    • Instruction Fuzzy Hash: 4611A73BB09518979B10FE69F8445EEB7A8FF84636B0401A6EC0ED3600EB359D0147D1
                    Function 0588DDB0 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 0588DDD3
                    • _free.LIBCMT ref: 0588DE15
                    • GetProcessHeap.KERNEL32(00000000,00000000,0588DBD5), ref: 0588DE3C
                    • HeapFree.KERNEL32(00000000), ref: 0588DE43
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Heap_free$FreeProcess
                    • String ID:
                    • API String ID: 1072109031-0
                    • Opcode ID: 7e49de99261ddfbc71e7f57ada14de5d4209c3d09f2adb8741e52c8f33dd82f4
                    • Instruction ID: ceb2dbbc9f2f56bdda8c1dfe3597135593e0a9638207c6de43143b097034a735
                    • Opcode Fuzzy Hash: 7e49de99261ddfbc71e7f57ada14de5d4209c3d09f2adb8741e52c8f33dd82f4
                    • Instruction Fuzzy Hash: 52112B71601B00ABD630EA69CD49F67B3A9FB84700F14891CE99B87A80DB74F842CB51
                    Function 05883BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSAEventSelect.WS2_32(?,05883ABB,00000023), ref: 05883C02
                    • WSAGetLastError.WS2_32 ref: 05883C0D
                    • send.WS2_32(?,00000000,00000000,00000000), ref: 05883C58
                    • WSAGetLastError.WS2_32 ref: 05883C63
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: ErrorLast$EventSelectsend
                    • String ID:
                    • API String ID: 259408233-0
                    • Opcode ID: f08f5b09f09483031fe3fae0ee1d342e92b0dfab053209e632a09831c50b2997
                    • Instruction ID: ecc5f0a344262e33402fb4be4691b44cc4fc8870242c01bddde68b541b3b1af4
                    • Opcode Fuzzy Hash: f08f5b09f09483031fe3fae0ee1d342e92b0dfab053209e632a09831c50b2997
                    • Instruction Fuzzy Hash: BF111FB66107009BD730AB79D888A67BAEAFB89B14F110A1DF957C7650DB75F8008B50
                    Function 00419626 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                    Download Yara Rule
                    APIs
                    • _com_issue_error.COMSUPP ref: 00419644
                    • _com_issue_error.COMSUPP ref: 00419681
                    • SysAllocString.OLEAUT32(00000000), ref: 00419687
                    • _com_issue_error.COMSUPP ref: 004196A9
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _com_issue_error$AllocString
                    • String ID:
                    • API String ID: 245909816-0
                    • Opcode ID: 501e6b04af8355a67b84f2c383adb1f98b6c0f41ce6aaac3be59f62b7178dda0
                    • Instruction ID: 1d0dd822b0c7db4144dc7e043cacaa93b206406b730ac036a5011f82a45548da
                    • Opcode Fuzzy Hash: 501e6b04af8355a67b84f2c383adb1f98b6c0f41ce6aaac3be59f62b7178dda0
                    • Instruction Fuzzy Hash: 8111C672A00214ABCB255BA19C457DF7765DF48314F01012FF905B6240EA3D9D90C6BD
                    Function 0589BCDB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                    • Instruction ID: 05cbb4b7c83cb76c5ae9dbb5e21d7d013ba1372be57a3077caa1ca88d3780dd6
                    • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                    • Instruction Fuzzy Hash: AE11437600814DBBCF1A5E84EC05CED3F67BB58256B488415FE1999030C33BC971AB81
                    Function 0041A1A1 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0041A1B8
                      • Part of subcall function 0041A7F0: ___AdjustPointer.LIBCMT ref: 0041A83A
                    • _UnwindNestedFrames.LIBCMT ref: 0041A1CF
                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 0041A1E1
                    • CallCatchBlock.LIBVCRUNTIME ref: 0041A205
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                    • String ID:
                    • API String ID: 2633735394-0
                    • Opcode ID: 08551ddd603f21dc6f7fc468f76b9c3b003be5c4bc19ae637f83aaf99b94841c
                    • Instruction ID: 2d441d66b1c49fcde367b25591180309cdd9d7be12b29a3599bac2a37da5e321
                    • Opcode Fuzzy Hash: 08551ddd603f21dc6f7fc468f76b9c3b003be5c4bc19ae637f83aaf99b94841c
                    • Instruction Fuzzy Hash: 9D012D32000109BBCF125F55CC01EDA3B75FF48758F05401AF91862121D33AE8F1DB95
                    Function 058841E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(05884FB5,05884E55,058842BE,00000000,?,?,05884E55,?,?,?,?,00000000,000000FF), ref: 058841E8
                    • LeaveCriticalSection.KERNEL32(05884FB5,?,?,?,00000000,000000FF), ref: 058841F6
                    • LeaveCriticalSection.KERNEL32(05884FB5), ref: 05884257
                    • SetEvent.KERNEL32(8520468B), ref: 05884272
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CriticalSection$Leave$EnterEvent
                    • String ID:
                    • API String ID: 3394196147-0
                    • Opcode ID: 6493336fb5f43f55e11cb55aae28acde180de7d84615f89aa8070b62391b759a
                    • Instruction ID: 6533901699862550ef6cf07135fc38c1f4be5b126a6005ee0605e420fef38b9d
                    • Opcode Fuzzy Hash: 6493336fb5f43f55e11cb55aae28acde180de7d84615f89aa8070b62391b759a
                    • Instruction Fuzzy Hash: 0D1106B5605B019FDB24DF74D584AA6BBE5FF48304B15892DE86FC7211EB31E801CB00
                    Function 00410E05 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_GS.LIBCMT ref: 00410E0C
                    • new.LIBCMT ref: 00410E26
                      • Part of subcall function 0040A025: __EH_prolog3_GS.LIBCMT ref: 0040A02C
                    • __Getcoll.LIBCPMT ref: 00410E64
                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00410E74
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3_$GetcollLocinfoLocinfo::~_std::_
                    • String ID:
                    • API String ID: 3170657810-0
                    • Opcode ID: 5d56d57dba86ca919bfc7954abaef7197d91b5eee102eb90a6610f2e7685b1d9
                    • Instruction ID: 9f9e0daaae16aed48b01f14ec148c1de816a6c3cfcc9b435084ebaff503b4ee6
                    • Opcode Fuzzy Hash: 5d56d57dba86ca919bfc7954abaef7197d91b5eee102eb90a6610f2e7685b1d9
                    • Instruction Fuzzy Hash: E0112DB19403099FDB10EFA6C5417DEB7B4AF08315F10842EE4557B281DBB89984CBA9
                    Function 05884B00 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                    Download Yara Rule
                    APIs
                    • timeGetTime.WINMM(00000001,?,00000001,?,05883C4F,?,?,00000001), ref: 05884B15
                    • InterlockedIncrement.KERNEL32(00000001), ref: 05884B24
                    • InterlockedIncrement.KERNEL32(00000001), ref: 05884B31
                    • timeGetTime.WINMM(?,05883C4F,?,?,00000001), ref: 05884B48
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: IncrementInterlockedTimetime
                    • String ID:
                    • API String ID: 159728177-0
                    • Opcode ID: 063dc39dbfda6dde45492ecfe158b3011580f340e5cae162e2ab195fb5604e86
                    • Instruction ID: 2eeaa37e6cae7bcf2f0974c0bacf95e3321ab7afe463d1f895f85e5a7f7b1682
                    • Opcode Fuzzy Hash: 063dc39dbfda6dde45492ecfe158b3011580f340e5cae162e2ab195fb5604e86
                    • Instruction Fuzzy Hash: 3901C8B56007059FCB20EFAED88095AFBE9EF58650700892AE949C7610E675EA448FA0
                    Function 05883660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 05883667
                    • _free.LIBCMT ref: 0588369C
                      • Part of subcall function 0588F529: RtlFreeHeap.NTDLL(00000000,00000000,?,05893D3C,00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66), ref: 0588F53F
                      • Part of subcall function 0588F529: GetLastError.KERNEL32(00000000,?,05893D3C,00000000,?,058943F0,00000000,00000001,00000000,?,05898CD6,00000018,058A6338,0000000C,05898D66,00000000), ref: 0588F551
                    • _malloc.LIBCMT ref: 058836D7
                    • _memset.LIBCMT ref: 058836E5
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                    • String ID:
                    • API String ID: 3340475617-0
                    • Opcode ID: 69cc01ecf12743789462bb2c6dd97a148e8c105857e06f2264df907a72fed25f
                    • Instruction ID: c31af23d20c15981d4d11ae337db5a0623fc2c5ec5790918c668226ed52ecb1b
                    • Opcode Fuzzy Hash: 69cc01ecf12743789462bb2c6dd97a148e8c105857e06f2264df907a72fed25f
                    • Instruction Fuzzy Hash: 3201CCB1900B04DFE720DF7A98C5B97BAE8FB45254F104C2EE9AEC3301DA34A8048F20
                    Function 0588CCC0 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 05881420: HeapFree.KERNEL32(?,00000000,?,?,?,058840B1,?,00000000,05884039,?,7591DFA0,05883648), ref: 0588143D
                      • Part of subcall function 05881420: _free.LIBCMT ref: 05881459
                    • HeapDestroy.KERNEL32(00000000), ref: 0588CCD3
                    • HeapCreate.KERNEL32(?,?,?), ref: 0588CCE5
                    • _free.LIBCMT ref: 0588CCF5
                    • HeapDestroy.KERNEL32 ref: 0588CD22
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Heap$Destroy_free$CreateFree
                    • String ID:
                    • API String ID: 4097506873-0
                    • Opcode ID: d48401cd17b23a450da6730c30cb3cf44a90b1ab4d37104ef219f99435977fed
                    • Instruction ID: d274e119e02df049343d2f21ed25dc815cafb57435bafce029a3b899df32ff23
                    • Opcode Fuzzy Hash: d48401cd17b23a450da6730c30cb3cf44a90b1ab4d37104ef219f99435977fed
                    • Instruction Fuzzy Hash: 98F03CB92007029BE320AF24E848B63FBB8FF44710F104518EC56C7640DB34F851CBA0
                    Function 0040A2E4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 0040A2EB
                    • new.LIBCMT ref: 0040A302
                      • Part of subcall function 00409E21: __EH_prolog3.LIBCMT ref: 00409E28
                      • Part of subcall function 00409E21: std::_Lockit::_Lockit.LIBCPMT ref: 00409E35
                      • Part of subcall function 00409E21: __CxxThrowException@8.LIBVCRUNTIME ref: 00409E8B
                      • Part of subcall function 00409E21: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00409E94
                    • ctype.LIBCPMT ref: 0040A32D
                      • Part of subcall function 0040A36E: __Getctype.LIBCPMT ref: 0040A37D
                      • Part of subcall function 0040A36E: __Getcvt.LIBCPMT ref: 0040A38F
                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 0040A337
                      • Part of subcall function 00409EA5: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00409ECC
                      • Part of subcall function 00409EA5: std::_Lockit::~_Lockit.LIBCPMT ref: 00409F3D
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$H_prolog3Locinfo::_Lockit$Exception@8GetctypeGetcvtLocinfoLocinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwctype
                    • String ID:
                    • API String ID: 137054408-0
                    • Opcode ID: 37e2460600290bc7324e6d338c4ff336e261c3139884df18d7a4f63982ae1179
                    • Instruction ID: b1a882ab031b0a6e660c2dd27d4948e8e787ca023142f20653bb959ff04e54dd
                    • Opcode Fuzzy Hash: 37e2460600290bc7324e6d338c4ff336e261c3139884df18d7a4f63982ae1179
                    • Instruction Fuzzy Hash: E5F030B19003069EDB14EFA5C49259EB7A4BF18704F60842FF909BB2C2DF7C5A448799
                    Function 0040A12F Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3.LIBCMT ref: 0040A136
                    • new.LIBCMT ref: 0040A14D
                      • Part of subcall function 00409E21: __EH_prolog3.LIBCMT ref: 00409E28
                      • Part of subcall function 00409E21: std::_Lockit::_Lockit.LIBCPMT ref: 00409E35
                      • Part of subcall function 00409E21: __CxxThrowException@8.LIBVCRUNTIME ref: 00409E8B
                      • Part of subcall function 00409E21: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00409E94
                    • ctype.LIBCPMT ref: 0040A170
                      • Part of subcall function 0040A0FA: __Getctype.LIBCPMT ref: 0040A115
                    • std::_Locinfo::~_Locinfo.LIBCPMT ref: 0040A17A
                      • Part of subcall function 00409EA5: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00409ECC
                      • Part of subcall function 00409EA5: std::_Lockit::~_Lockit.LIBCPMT ref: 00409F3D
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$H_prolog3Locinfo::_Lockit$Exception@8GetctypeLocinfoLocinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwctype
                    • String ID:
                    • API String ID: 2334464816-0
                    • Opcode ID: 3ccab37a23aa6f83a4e88f4d10bc8d100948e0d6ed8e5947f3fecc1ca2268b28
                    • Instruction ID: 396627fd31e0b88194369139e07c1f859b2d7b0e060b00cf3b2f78f25742c17a
                    • Opcode Fuzzy Hash: 3ccab37a23aa6f83a4e88f4d10bc8d100948e0d6ed8e5947f3fecc1ca2268b28
                    • Instruction Fuzzy Hash: 8AF05E715003099EDB00EFA5C88699E7374AF54704F60843FB809BB2C2EF7C5E418799
                    Function 0040C466 Relevance: 6.0, APIs: 4, Instructions: 31memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocH_prolog3String_com_issue_error
                    • String ID:
                    • API String ID: 818911185-0
                    • Opcode ID: 9f840b7efd5b874153f4ab90fefe84b951d03f73a419947a7c6dd9b109c86dec
                    • Instruction ID: 735d60f3b89fb8fa2707d030bba645655ec1efb4cce8ddbd16b75693e231a0c3
                    • Opcode Fuzzy Hash: 9f840b7efd5b874153f4ab90fefe84b951d03f73a419947a7c6dd9b109c86dec
                    • Instruction Fuzzy Hash: 12F09671401712DBD7205F64C94576AB660AF00725F21822FF9546A2C1DBBC8940C7A8
                    Function 0040C40C Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: ConvertH_prolog3String_com_issue_error_com_util::
                    • String ID:
                    • API String ID: 1487652900-0
                    • Opcode ID: 875acc07987b29fb107b9825acf1b7cce1e49a21829fc6d177c4c4e1cfa1b28f
                    • Instruction ID: 8c7e6a351b7f4733df93f66e31383111bb1fc1088f32a56a3e266ec526b497d9
                    • Opcode Fuzzy Hash: 875acc07987b29fb107b9825acf1b7cce1e49a21829fc6d177c4c4e1cfa1b28f
                    • Instruction Fuzzy Hash: FFF08972401321DBD7216F64C4517AAB661AF10728F31821EF9557B2C1D7B8494087DD
                    Function 0041D6C8 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                    Download Yara Rule
                    APIs
                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 0041D6C8
                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0041D6CD
                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0041D6D2
                      • Part of subcall function 0041DA89: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0041DA9A
                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 0041D6E7
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                    • String ID:
                    • API String ID: 1761009282-0
                    • Opcode ID: 4620ded051c162a4ab368f0813539878333b42ab7183a8981c68f5926920f08c
                    • Instruction ID: 14806c7f250ec3626344af4879b1366c9576fbdb1d4d95a577f50898cf21947d
                    • Opcode Fuzzy Hash: 4620ded051c162a4ab368f0813539878333b42ab7183a8981c68f5926920f08c
                    • Instruction Fuzzy Hash: 4EC048F4C18A05611C10BAB72A025EE03200CA27CEB9524CBF9CA1B20B8D0E05CBA83F
                    Function 0042410D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 0042419D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorHandling__start
                    • String ID: pow
                    • API String ID: 3213639722-2276729525
                    • Opcode ID: e5e82ffe086c981db9afb31094810e73edfc3309b85f83be6859e0d5b6128b63
                    • Instruction ID: 189da1eceaaa8123b2eafa8983f7637ae16cf0e11565192851021ce7acfc06a0
                    • Opcode Fuzzy Hash: e5e82ffe086c981db9afb31094810e73edfc3309b85f83be6859e0d5b6128b63
                    • Instruction Fuzzy Hash: D8516861B1812596CB11BB14FD8637F7B94DB90740FA0596BE081823E9DE3C8CE59A8E
                    Function 00432B40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: >3C$>3C
                    • API String ID: 0-3801535234
                    • Opcode ID: 38464908b481d69f937ad94f196b31f0b6eee8f1eb4fe71198e47b4ab4eb7552
                    • Instruction ID: 12e52974e394cac54a72286938c568d5ad8dbb484fd8cc99b5da34793fccba5c
                    • Opcode Fuzzy Hash: 38464908b481d69f937ad94f196b31f0b6eee8f1eb4fe71198e47b4ab4eb7552
                    • Instruction Fuzzy Hash: E1510A31A04255EBCB20CF54D991B6EB7B0FF19320F24916BD5589B3D0D3B89982C7D9
                    Function 00424786 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: C:\Users\user\Desktop\Wk6IMAhBNF.exe
                    • API String ID: 269201875-76231843
                    • Opcode ID: a2204e26124afb59e109e3562998905899498828fdb93cae4cca61aeb0aed4a2
                    • Instruction ID: d28aafec6ce904aa0ef55ce62c2edf42dfbfe93860beb333fdfc34f057bfea3d
                    • Opcode Fuzzy Hash: a2204e26124afb59e109e3562998905899498828fdb93cae4cca61aeb0aed4a2
                    • Instruction Fuzzy Hash: E7319375B00268EFDB21EF99E88499EBBF8EFC6310B50406BE40497211D7749E41CB58
                    Function 004062D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 004062D8
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00406339
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catchThrowUser
                    • String ID: J
                    • API String ID: 1841272387-1141589763
                    • Opcode ID: 21ccc6eb26e3514dd02dc366ebec23d5d77ad26cf889ffa905f28f2c01f6c566
                    • Instruction ID: bd142b150e7d5f7b1d6d20f2e9f65cd08ff92f8dc46682db57dc9730bd17271b
                    • Opcode Fuzzy Hash: 21ccc6eb26e3514dd02dc366ebec23d5d77ad26cf889ffa905f28f2c01f6c566
                    • Instruction Fuzzy Hash: EF210BB7985B8CAFE310E6C5585DBB6B76CE31672BF204B37E562D12D0C77800028691
                    Function 0040686D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 00406874
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004068D5
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catchThrowUser
                    • String ID: .
                    • API String ID: 1841272387-248832578
                    • Opcode ID: df488ffe395492a7805ad43ceb01c0eaa1b880c4131f3f59d55ce9b09a0377c7
                    • Instruction ID: e5c55011ddf896b15ad970a0273a1d11157de5090f95664c0b4d7624cbe3adba
                    • Opcode Fuzzy Hash: df488ffe395492a7805ad43ceb01c0eaa1b880c4131f3f59d55ce9b09a0377c7
                    • Instruction Fuzzy Hash: 61210DB79C5A8CAFE310EAC5585DB7677ACE31673BF200737E552D2790D62844418190
                    Function 0040803F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 00408046
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004080A4
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catchThrowUser
                    • String ID: J
                    • API String ID: 1841272387-1141589763
                    • Opcode ID: c3818944ac7596b4264a46947aa60dd8051a880f47ff73396ff69b8cbee30cf5
                    • Instruction ID: 56ade25a5ef2ed7a3fde89bbd09d82a5c4e53b822f81685480d03e47512ca7b9
                    • Opcode Fuzzy Hash: c3818944ac7596b4264a46947aa60dd8051a880f47ff73396ff69b8cbee30cf5
                    • Instruction Fuzzy Hash: 04212B77989B8CAFE310E6C55C59BB6B7ACE316B3BF200B37E551D2280C77C00018591
                    Function 00404A53 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch_GS.LIBCMT ref: 00404A5D
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00404AC6
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catch_ThrowUser
                    • String ID: Q
                    • API String ID: 2496864217-3463352047
                    • Opcode ID: a18495e538ca8df67fbf7f549a35c935356fae9502840ff7da9844c1083b05de
                    • Instruction ID: 12ea4b6d12ca5ea5f4f8bf261031fdeadcb1a468b35f8689ed9a9963d225adf1
                    • Opcode Fuzzy Hash: a18495e538ca8df67fbf7f549a35c935356fae9502840ff7da9844c1083b05de
                    • Instruction Fuzzy Hash: AF2126B3989B8CAFE320EAC59C5DBB6B7ACE306737F200B67E415D22D0C77845418A54
                    Function 00402746 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 0040274D
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004027A6
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: DispatcherExceptionException@8H_prolog3_catchThrowUser
                    • String ID: 6
                    • API String ID: 1841272387-498629140
                    • Opcode ID: 3a03316ee69d087bb876c30cd0bc8d4327f6de08990793fd5fa26647a4f13ea3
                    • Instruction ID: 3c57e26f9aefef52b14ca4f69f2468dec3002322f978c6b7ece63b7feb34ed34
                    • Opcode Fuzzy Hash: 3a03316ee69d087bb876c30cd0bc8d4327f6de08990793fd5fa26647a4f13ea3
                    • Instruction Fuzzy Hash: 5C11E677988A48AFE320EBC59C59FB6B7ACE306B3AF300B37F512D6790D76854008594
                    Function 00401D5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_catch.LIBCMT ref: 00401D61
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00401DBA
                      • Part of subcall function 0041B2CA: KiUserExceptionDispatcher.NTDLL(?,?,?,?), ref: 0041B329
                      • Part of subcall function 0040194B: __EH_prolog3_catch.LIBCMT ref: 00401952
                      • Part of subcall function 0040194B: __CxxThrowException@8.LIBVCRUNTIME ref: 004019AB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8H_prolog3_catchThrow$DispatcherExceptionUser
                    • String ID: C
                    • API String ID: 1909432332-1037565863
                    • Opcode ID: b683ac18e3245f6b6a9a26d77790b351e86832feaa3594ecdf31e8f52a301825
                    • Instruction ID: 6fb9e9940292d7d9457c01b70f608ec0d70ea234a51dbbc2a8c4d82ba037bf5c
                    • Opcode Fuzzy Hash: b683ac18e3245f6b6a9a26d77790b351e86832feaa3594ecdf31e8f52a301825
                    • Instruction Fuzzy Hash: 9311387798864CAFE720EAC59C56BBAB7ACE302B36F300B37F511D26C0D72C44008194
                    Function 0588B17E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0588BBD0: GetDesktopWindow.USER32 ref: 0588BBEF
                      • Part of subcall function 0588BBD0: GetDC.USER32(00000000), ref: 0588BBFC
                      • Part of subcall function 0588BBD0: CreateCompatibleDC.GDI32(00000000), ref: 0588BC02
                      • Part of subcall function 0588BBD0: GetDC.USER32(00000000), ref: 0588BC0D
                      • Part of subcall function 0588BBD0: GetDeviceCaps.GDI32(00000000,00000008), ref: 0588BC1A
                      • Part of subcall function 0588BBD0: GetDeviceCaps.GDI32(00000000,00000076), ref: 0588BC22
                      • Part of subcall function 0588BBD0: ReleaseDC.USER32(00000000,00000000), ref: 0588BC33
                      • Part of subcall function 0588BBD0: GetSystemMetrics.USER32(0000004C), ref: 0588BCD8
                      • Part of subcall function 0588BBD0: GetSystemMetrics.USER32(0000004D), ref: 0588BCED
                      • Part of subcall function 0588BBD0: CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0588BD06
                      • Part of subcall function 0588BBD0: SelectObject.GDI32(?,00000000), ref: 0588BD14
                      • Part of subcall function 0588BBD0: SetStretchBltMode.GDI32(?,00000003), ref: 0588BD20
                      • Part of subcall function 0588BBD0: GetSystemMetrics.USER32(0000004F), ref: 0588BD2D
                      • Part of subcall function 0588BBD0: GetSystemMetrics.USER32(0000004E), ref: 0588BD40
                      • Part of subcall function 0588F5F7: _malloc.LIBCMT ref: 0588F611
                    • _memset.LIBCMT ref: 0588B1C2
                    • swprintf.LIBCMT ref: 0588B1E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: MetricsSystem$CapsCompatibleCreateDevice$BitmapDesktopModeObjectReleaseSelectStretchWindow_malloc_memsetswprintf
                    • String ID: %s %s
                    • API String ID: 1028806752-581060391
                    • Opcode ID: bcd66b8e0de4932203ade4df959862d87008c33010fe12d7ae96ef2ffe9a4f2a
                    • Instruction ID: 27c6fc130e089fbe05d8ee30f598e9062ce9d109fbe2b5ea39b56eb16bf90b5c
                    • Opcode Fuzzy Hash: bcd66b8e0de4932203ade4df959862d87008c33010fe12d7ae96ef2ffe9a4f2a
                    • Instruction Fuzzy Hash: FA21E1B2A04341ABE611FE189C84E6BB7E8EFD5600F08452EFC89D6201E6719D09C7A3
                    Function 0041461E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog3_GS.LIBCMT ref: 00414625
                      • Part of subcall function 00414782: __EH_prolog3_GS.LIBCMT ref: 00414789
                      • Part of subcall function 0040FA39: std::_Deallocate.LIBCONCRT ref: 0040FA69
                    • new.LIBCMT ref: 0041468E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prolog3_$Deallocatestd::_
                    • String ID: ?A^
                    • API String ID: 2283364142-1641652588
                    • Opcode ID: 1d23dea81c4e98d75ac3add1cd86394256747e2509eb1a1ce4c850a5a4cd0506
                    • Instruction ID: 994f9a054eef8c1c1bab20b20b6dd4485cfecc21ef81bf349a33104e299d0cff
                    • Opcode Fuzzy Hash: 1d23dea81c4e98d75ac3add1cd86394256747e2509eb1a1ce4c850a5a4cd0506
                    • Instruction Fuzzy Hash: 62219271E006089BDB14DFA9C451BDEF7F5AF58314F20812EE915A7381CB78A949CB94
                    Function 058890F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                    Download Yara Rule
                    APIs
                    • std::_Xinvalid_argument.LIBCPMT ref: 05889105
                      • Part of subcall function 0588EE29: std::exception::exception.LIBCMT ref: 0588EE3E
                      • Part of subcall function 0588EE29: __CxxThrowException@8.LIBCMT ref: 0588EE53
                      • Part of subcall function 0588EE29: std::exception::exception.LIBCMT ref: 0588EE64
                    • std::_Xinvalid_argument.LIBCPMT ref: 05889118
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                    • String ID: string too long
                    • API String ID: 963545896-2556327735
                    • Opcode ID: 0803e36d07f046bf3558ee8e165b34f5db3c581b673722e3714ff0f5aa63cfa1
                    • Instruction ID: a5c5cfee5c31d9fe553160efa3d96072e64c771312dc5b833a4c6045d8569592
                    • Opcode Fuzzy Hash: 0803e36d07f046bf3558ee8e165b34f5db3c581b673722e3714ff0f5aa63cfa1
                    • Instruction Fuzzy Hash: 6811CB797087409BD331EE1CD844A36B7E5EBD1621F100A6AE991C7741C776FC05C7A1
                    Function 058893E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBCMT ref: 0588940D
                    • std::_Xinvalid_argument.LIBCPMT ref: 0588943A
                    Strings
                    • invalid string position, xrefs: 05889435
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: Exception@8ThrowXinvalid_argumentstd::_
                    • String ID: invalid string position
                    • API String ID: 3614006799-1799206989
                    • Opcode ID: 343aec70f23c3b7778124432c1719552bab2fad92a224a7f9aac7f9d687acd30
                    • Instruction ID: bfcef7b4f2fa22f86b1507a629514daf3c7ae9a319fd1e601cf30030b77858d8
                    • Opcode Fuzzy Hash: 343aec70f23c3b7778124432c1719552bab2fad92a224a7f9aac7f9d687acd30
                    • Instruction Fuzzy Hash: F301A2323043056BD724FE6CD884BBAB399EB50624F104A29E956CBA80D7B1AD44C7A2
                    Function 0588F6AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __output_l.LIBCMT ref: 0588F705
                      • Part of subcall function 0588F80B: __getptd_noexit.LIBCMT ref: 0588F80B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: __getptd_noexit__output_l
                    • String ID: B
                    • API String ID: 2141734944-1255198513
                    • Opcode ID: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
                    • Instruction ID: e215ed737104d085d97f353b057d8ab7607c4b1a61873669d036d12cac3ff309
                    • Opcode Fuzzy Hash: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
                    • Instruction Fuzzy Hash: F7016D75A0424DAFEF00AFA8CC05BFEBBB4FB44364F040116ED25E6290D7749941DBA5
                    Function 05889560 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    • std::_Xinvalid_argument.LIBCPMT ref: 0588956F
                      • Part of subcall function 0588EE76: std::exception::exception.LIBCMT ref: 0588EE8B
                      • Part of subcall function 0588EE76: __CxxThrowException@8.LIBCMT ref: 0588EEA0
                      • Part of subcall function 0588EE76: std::exception::exception.LIBCMT ref: 0588EEB1
                    • _memmove.LIBCMT ref: 058895A5
                    Strings
                    • invalid string position, xrefs: 0588956A
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                    • String ID: invalid string position
                    • API String ID: 1785806476-1799206989
                    • Opcode ID: 6db54662acb1df0bb36b866dc040bcacdd31bff65827a82680281b5e66a36e21
                    • Instruction ID: cb2edecf55787628d4a154087c93372fc127f08c7fc4a7a3a63eaa1e58cdf083
                    • Opcode Fuzzy Hash: 6db54662acb1df0bb36b866dc040bcacdd31bff65827a82680281b5e66a36e21
                    • Instruction Fuzzy Hash: E801A2313043019BD725EE6CEC94A3AB3E7DBC5608B244E2CD892CBB49D6B0DC4A4790
                    Function 0588D100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    • std::_Xinvalid_argument.LIBCPMT ref: 0588D114
                      • Part of subcall function 0588EE29: std::exception::exception.LIBCMT ref: 0588EE3E
                      • Part of subcall function 0588EE29: __CxxThrowException@8.LIBCMT ref: 0588EE53
                      • Part of subcall function 0588EE29: std::exception::exception.LIBCMT ref: 0588EE64
                    • _memmove.LIBCMT ref: 0588D14D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                    • String ID: vector<T> too long
                    • API String ID: 1785806476-3788999226
                    • Opcode ID: 16c6f307e4c31d62be50dfed548a680f7ec3d5e3f729bfefae6158776132e85b
                    • Instruction ID: 37e8ea338ebdcb8a52462dd29f36eacd9f9d89fb479649e48e0aede10cb8f4a1
                    • Opcode Fuzzy Hash: 16c6f307e4c31d62be50dfed548a680f7ec3d5e3f729bfefae6158776132e85b
                    • Instruction Fuzzy Hash: B601B5766602055BE700EE6DF8EA87ABB9CE640210B14062AFC05D7380EB38BC04C691
                    Function 05888420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                    • std::_Xinvalid_argument.LIBCPMT ref: 05888433
                      • Part of subcall function 0588EE29: std::exception::exception.LIBCMT ref: 0588EE3E
                      • Part of subcall function 0588EE29: __CxxThrowException@8.LIBCMT ref: 0588EE53
                      • Part of subcall function 0588EE29: std::exception::exception.LIBCMT ref: 0588EE64
                    • _memmove.LIBCMT ref: 0588845E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                    • String ID: vector<T> too long
                    • API String ID: 1785806476-3788999226
                    • Opcode ID: a8def76b33f6a24b0ab0043daef7666a1a3cb1c18f8880c43e6f839a98414080
                    • Instruction ID: 3af64b2a552103f9588efe803a85c1d7fe55fee0a841314a3cdd3640ab4acc91
                    • Opcode Fuzzy Hash: a8def76b33f6a24b0ab0043daef7666a1a3cb1c18f8880c43e6f839a98414080
                    • Instruction Fuzzy Hash: 6E018FB270430A9FDB24EEA8DC95C3AB3D8EB54214754492DE89AC3340E635FC00CB61
                    Function 058A05C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0589FFFA: __getptd.LIBCMT ref: 058A0000
                      • Part of subcall function 0589FFFA: __getptd.LIBCMT ref: 058A0010
                    • __getptd.LIBCMT ref: 058A05D3
                      • Part of subcall function 05893D4B: __getptd_noexit.LIBCMT ref: 05893D4E
                      • Part of subcall function 05893D4B: __amsg_exit.LIBCMT ref: 05893D5B
                    • __getptd.LIBCMT ref: 058A05E1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4460155852.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: true
                    • Associated: 00000000.00000002.4460155852.00000000058B4000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5880000_Wk6IMAhBNF.jbxd
                    Similarity
                    • API ID: __getptd$__amsg_exit__getptd_noexit
                    • String ID: csm
                    • API String ID: 803148776-1018135373
                    • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                    • Instruction ID: ab45b7028b632d56cbb7048a11012baae2c6a5cbc7e83483af1ba82223dcda62
                    • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                    • Instruction Fuzzy Hash: 71012C36901305CFEF289F6AC45CA6DB3B5BF94219F58481DD882D6590CF349D81CEA2
                    Function 0040AAE7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                    • std::_Xinvalid_argument.LIBCPMT ref: 0040AB2D
                      • Part of subcall function 00414B1C: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00414B28
                      • Part of subcall function 00414B1C: __CxxThrowException@8.LIBVCRUNTIME ref: 00414B36
                      • Part of subcall function 00414B5C: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00414B68
                      • Part of subcall function 00414B5C: __CxxThrowException@8.LIBVCRUNTIME ref: 00414B76
                    Strings
                    • invalid stoi argument, xrefs: 0040AB28
                    • stoi argument out of range, xrefs: 0040AB32
                    Memory Dump Source
                    • Source File: 00000000.00000002.4457048912.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4457031381.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457077071.0000000000438000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457097434.0000000000439000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457126629.000000000044D000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000452000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457145910.0000000000454000.00000008.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457189053.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457210193.000000000046D000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457231771.0000000000481000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457246358.0000000000482000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457264153.000000000048A000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457284792.0000000000490000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457334913.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457353911.000000000051F000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457371889.0000000000521000.00000040.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457390726.0000000000522000.00000080.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457408244.0000000000523000.00000004.00000001.01000000.00000007.sdmpDownload File
                    • Associated: 00000000.00000002.4457425861.0000000000524000.00000002.00000001.01000000.00000007.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_Wk6IMAhBNF.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throwstd::invalid_argument::invalid_argument$Xinvalid_argumentstd::_
                    • String ID: invalid stoi argument$stoi argument out of range
                    • API String ID: 2589434974-1606216832
                    • Opcode ID: aa4968aba13a43a5c16a699d1b1b55d0bc9c810550d94cbb7f684cd8eff8e7fc
                    • Instruction ID: 58f874d3dd26a64f0c691c3d6c0e84d97b5bb4d828d09f02d86860d651299440
                    • Opcode Fuzzy Hash: aa4968aba13a43a5c16a699d1b1b55d0bc9c810550d94cbb7f684cd8eff8e7fc
                    • Instruction Fuzzy Hash: AFF0E232600224BBDB14BA89E803A997369DF82315B41017BF44467152DAB87D908BBE